limit-value: Specifies the maximum number of packets with the same source IP address and unresolvable destination IP addresses that the switch can receive in 5 seconds. The value is in the range of 2 to 1024.

Description

Use arp source-suppression limit to set the maximum number of packets with the same source IP address and unresolvable destination IP addresses that the switch can receive in 5 seconds.

Use undo arp source-suppression limit to restore the default value, which is 10.

With this feature configured, if the number of packets with unresolvable destination IP addresses sent from a host within 5 seconds exceeds the specified threshold, the switch stops the sending host from triggering any ARP requests within the following 5 seconds.

Related commands: display arp source-suppression.

Examples

# Set the maximum number of packets with the same source address and unresolvable destination IP addresses that the switch can receive in 5 seconds to 100.

<Sysname> system-view

[Sysname] arp source-suppression limit 100

display arp source-suppression

Syntax

display arp source-suppression [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display arp source-suppression to display information about the current ARP source suppression configuration.

Examples

# Display information about the current ARP source suppression configuration.

<Sysname> display arp source-suppression

ARP source suppression is enabled

Current suppression limit: 100

Current cache length: 16

Table 1 Command output

Field	Description
Current suppression limit	Maximum number of packets with the same source IP address but unresolvable destination IP addresses that the switch can receive in 5 seconds.
Current cache length	Size of cache used to record source suppression information.

ARP packet rate limit configuration commands

arp rate-limit

Syntax

arp rate-limit { disable | rate pps drop }

undo arp rate-limit

View

Layer 2 Ethernet interface view, Layer 2 aggregate interface view

Default level

2: System level

Parameters

disable: Disables ARP packet rate limit.

rate pps: ARP packet rate in the range of 10 to 5000 pps.

drop: Discards the exceeded packets.

Description

Use arp rate-limit to configure or disable ARP packet rate limit on an interface.

Use undo arp rate-limit to restore the default.

By default, ARP packet rate limit is disabled.

Examples

# Specify the ARP packet rate on GigabitEthernet 3/0/1 as 30 pps, and exceeded packets will be discarded.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] arp rate-limit rate 30 drop

Source MAC-based ARP attack detection configuration commands

arp anti-attack source-mac

Syntax

arp anti-attack source-mac { filter | monitor }

undo arp anti-attack source-mac [ filter | monitor ]

View

System view

Default level

2: System level

Parameters

filter: Generates log messages and discards subsequent ARP packets from the MAC address.

monitor: Only generates log message.

Description

Use arp anti-attack source-mac to enable the source MAC-based ARP attack detection and specify a handling method.

Use undo arp anti-attack source-mac to restore the default.

By default, source MAC-based ARP attack detection is disabled.

This function enables the switch to check the source MAC address of ARP packets received from the same MAC address within 5 seconds against a specific threshold. If the threshold is exceeded, the switch takes the preconfigured method to handle the attack.

If neither the filter nor the monitor keyword is specified in the undo arp anti-attack source-mac command, both handling methods are disabled.

Examples

# Enable the source MAC-based ARP attack detection and specify the filter handling method.

<Sysname> system-view

[Sysname] arp anti-attack source-mac filter

arp anti-attack source-mac aging-time

Syntax

arp anti-attack source-mac aging-time time

undo arp anti-attack source-mac aging-time

View

System view

Default level

2: System level

Parameters

time: Age time for ARP attack entries, in the range of 60 to 6000 seconds.

Description

Use arp anti-attack source-mac aging-time to configure the age time for source MAC addresses based on ARP attack detection entries.

Use undo arp anti-attack source-mac aging-time to restore the default.

By default, the age time for ARP attack entries is 300 seconds (5 minutes).

Examples

# Set the age time for ARP attack entries as 60 seconds.

<Sysname> system-view

[Sysname] arp anti-attack source-mac aging-time 60

arp anti-attack source-mac exclude-mac

Syntax

arp anti-attack source-mac exclude-mac mac-address&<1-n>

undo arp anti-attack source-mac exclude-mac [ mac-address&<1-n> ]

View

System view

Default level

2: System level

Parameters

mac-address&<1-n>: MAC address list. The mac-address argument indicates an excluded MAC address in the format H-H-H. The maximum value for the n argument is 64. &<1-64> indicates that you can exclude up to 64 MAC addresses at a time.

Description

Use arp anti-attack source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection.

Use undo arp anti-attack source-mac exclude-mac to remove the specified MAC addresses.

By default, MAC address is excluded from source MAC-based ARP attack detection.

If you do not specify any MAC address in the undo arp anti-attack source-mac exclude-mac command, this command removes all excluded MAC addresses.

Examples

# Exclude a MAC address from source MAC-based ARP attack detection.

<Sysname> system-view

[Sysname] arp anti-attack source-mac exclude-mac 2-2-2

arp anti-attack source-mac threshold

Syntax

arp anti-attack source-mac threshold threshold-value

undo arp anti-attack source-mac threshold

View

System view

Default level

2: System level

Parameters

threshold-value: Specifies the threshold for source MAC-based ARP attack detection, in the range of 25 to 1500. The default value is 150.

Description

Use arp anti-attack source-mac threshold to configure the threshold for source MAC-based ARP attack detection. If the number of ARP packets from a MAC address within 5 seconds exceeds this threshold, the switch recognizes this as an attack.

Use undo arp anti-attack source-mac threshold to restore the default.

Examples

# Configure the threshold for source MAC-based ARP attack detection as 30.

<Sysname> system-view

[Sysname] arp anti-attack source-mac threshold 30

display arp anti-attack source-mac

Syntax

In standalone mode:

display arp anti-attack source-mac { slot slot-number | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]

In IRF mode:

display arp anti-attack source-mac { chassis chassis-number slot slot-number | interface interface-type interface number } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

interface interface-type interface-number: Displays ARP attack entries detected on the interface.

slot slot-number: Displays ARP attack entries detected on the interface card specified by the slot number. (In standalone mode.)

chassis chassis-number slot slot-number: Displays ARP attack entries detected on a card of an IRF member switch. The chassis-number argument refers to the ID of the IRF member switch. The slot-number argument refers to the number of the slot where the card resides. You can display the member ID and slot number with the display device command. (In IRF mode.)

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display arp anti-attack source-mac to display ARP attack entries detected by source MAC-based ARP attack detection.

Examples

# Display the ARP attack entries detected by source MAC-based ARP attack detection. (In standalone mode.)

<Sysname> display arp anti-attack source-mac slot 3

Source-MAC VLAN-ID Interface Aging-time

23f3-1122-3344 4094 GE3/0/2 10

23f3-1122-3355 4094 GE3/0/3 30

23f3-1122-33ff 4094 GE3/0/4 25

23f3-1122-33ad 4094 GE3/0/5 30

23f3-1122-33ce 4094 GE3/0/6 2

# Display the ARP attack entries detected by source MAC-based ARP attack detection. (In IRF mode.)

<Sysname> display arp anti-attack source-mac chassis 1 slot 3

Source-MAC VLAN ID Interface Aging-time

23f3-1122-3344 4094 GE1/3/0/2 10

23f3-1122-3355 4094 GE1/3/0/3 30

23f3-1122-33ff 4094 GE1/3/0/4 25

23f3-1122-33ad 4094 GE1/3/0/5 30

23f3-1122-33ce 4094 GE1/3/0/6 2

ARP packet source mac address consistency check configuration commands

arp anti-attack valid-check enable

Syntax

arp anti-attack valid-check enable

undo arp anti-attack valid-check enable

View

System view

Default level

2: System level

Parameters

None

Description

Use arp anti-attack valid-check enable to enable ARP packet source MAC address consistency check on the gateway. After you execute this command, the gateway device can filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message.

Use undo arp anti-attack valid-check enable to restore the default.

By default, ARP packet source MAC address consistency check is disabled.

Examples

# Enable ARP packet source MAC address consistency check.

<Sysname> system-view

[Sysname] arp anti-attack valid-check enable

ARP active acknowledgement configuration commands

arp anti-attack active-ack enable

Syntax

arp anti-attack active-ack enable

undo arp anti-attack active-ack enable

View

System view

Default level

2: System level

Parameters

None

Description

Use arp anti-attack active-ack enable to enable the ARP active acknowledgement function.

Use undo arp anti-attack active-ack enable to restore the default.

By default, the ARP active acknowledgement function is disabled.

This feature is configured on gateway devices to identify invalid ARP packets.

Examples

# Enable the ARP active acknowledgement function.

<Sysname> system-view

[Sysname] arp anti-attack active-ack enable

Authorized ARP configuration commands

This feature is supported only on Layer 3 Ethernet interfaces. For more information about the operating modes of Ethernet interfaces, see Interface Configuration Guide.

arp authorized enable

Syntax

arp authorized enable

undo arp authorized enable

View

Layer 3 Ethernet interface view

Default level

2: System level

Parameters

None

Description

Use arp authorized enable to enable authorized ARP on an interface.

Use undo arp authorized enable to restore the default.

By default, authorized ARP is not enabled on the interface.

Examples

# Enable authorized ARP on GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] port link-mode route

[Sysname-GigabitEthernet3/0/1] arp authorized enable

ARP detection configuration commands

arp detection enable

Syntax

arp detection enable

undo arp detection enable

View

VLAN view

Default level

2: System level

Parameters

None

Description

Use arp detection enable to enable ARP detection for the VLAN.

Use undo arp detection enable to restore the default.

By default, ARP detection is disabled for a VLAN.

Examples

# Enable ARP detection for VLAN 1.

<Sysname> system-view

[Sysname] vlan 1

[Sysname-Vlan1] arp detection enable

arp detection trust

Syntax

arp detection trust

undo arp detection trust

View

Layer 2 Ethernet interface view, Layer 2 aggregate interface view

Default level

2: System level

Parameters

None

Description

Use arp detection trust to configure the port as an ARP trusted port.

Use undo arp detection trust to restore the default.

By default, the port is an ARP untrusted port.

Examples

# Configure GigabitEthernet 3/0/1 as an ARP trusted port.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] arp detection trust

arp detection validate

Syntax

arp detection validate { dst-mac | ip | src-mac } *

undo arp detection validate [ dst-mac | ip | src-mac ] *

View

System view

Default level

2: System level

Parameters

dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.

ip: Checks the source and destination IP addresses of ARP packets. The all-zero, all-one or multicast IP addresses are considered invalid and the corresponding packets are discarded. With this keyword specified, the source and destination IP addresses of ARP replies, and the source IP address of ARP requests will be checked.

src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source MAC address in the Ethernet header. If they are identical, the packet is considered valid. Otherwise, the packet is discarded.

Description

Use arp detection validate to configure ARP detection based on specified objects. You can specify one or more objects in one command line.

Use undo arp detection validate to remove detected objects. If you do not specify any keyword, this command removes all detected objects.

Examples

# Enable the checking of the MAC addresses and IP addresses of ARP packets.

<Sysname> system-view

[Sysname] arp detection validate dst-mac src-mac ip

arp restricted-forwarding enable

Syntax

arp restricted-forwarding enable

undo arp restricted-forwarding enable

View

VLAN view

Default level

2: System level

Parameters

None

Description

Use arp restricted-forwarding enable to enable ARP restricted forwarding.

Use undo arp restricted-forwarding enable to disable ARP restricted forwarding.

By default, ARP restricted forwarding is disabled.

Examples

# Enable ARP restricted forwarding in VLAN 100.

<Sysname> system-view

[Sysname] vlan 100

[Sysname-vlan100] arp restricted-forwarding enable

display arp detection

Syntax

display arp detection [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display arp detection to display the VLANs enabled with ARP detection.

Related commands: arp detection enable.

Examples

# Display the VLANs enabled with ARP detection.

<Sysname> display arp detection

ARP detection is enabled in the following VLANs:

1, 2, 4-5

display arp detection statistics

Syntax

display arp detection statistics [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

interface interface-type interface-number: Displays the ARP detection statistics of a specific interface.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display arp detection statistics to display statistics about ARP detection. This command only displays numbers of discarded packets. If you do not specify any interface, this command displays the statistics of all interfaces.

Examples

# Display the ARP detection statistics of all interfaces.

<Sysname> display arp detection statistics

State: U-Untrusted T-Trusted

ARP packets dropped by ARP inspect checking:

Interface(State) IP Src-MAC Dst-MAC Inspect

GE3/0/1(U) 0 0 0 0

GE3/0/2(U) 40 0 0 78

GE3/0/3(U) 0 0 0 0

GE3/0/4(T) 0 0 0 0

Table 2 Command output

Field	Description
Interface(State)	State T or U identifies a trusted or untrusted port.
IP	Number of ARP packets discarded due to invalid source and destination IP addresses.
Src-MAC	Number of ARP packets discarded due to invalid source MAC address.
Dst-MAC	Number of ARP packets discarded due to invalid destination MAC address.
Inspect	Number of ARP packets that failed to pass ARP detection (based on static IP Source Guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses).

reset arp detection statistics

Syntax

reset arp detection statistics [ interface interface-type interface-number ]

View

User view

Default level

1: Monitor level

Parameters

interface interface-type interface-number: Clears the ARP detection statistics of a specific interface.

Description

Use reset arp detection statistics to clear ARP detection statistics of a specific interface. If you do not specify any interface, this command displays the statistics of all interfaces.

Examples

# Clear the ARP detection statistics of all interfaces.

<Sysname> reset arp detection statistics

11-Security Command Reference

display arp source-suppression

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us