If the IP packets have different source addresses, you can enable the ARP blackhole routing feature. After receiving an unresolvable IP packet, the device creates a blackhole route destined for the target IP address. Then it drops all the matching packets until the blackhole route ages out.

Examples

# Enable ARP blackhole routing.

<Sysname> system-view

[Sysname] arp resolving-route enable

arp resolving-route probe-count

Use arp resolving-route probe-count to set the number of ARP blackhole route probes for each unresolved IP address.

Use undo arp resolving-route probe-count to remove the configuration.

Syntax

arp resolving-route probe-count count

undo arp resolving-route probe-count

Default

The device performs one ARP blackhole route probe for each unresolved IP address.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

count: Sets the number of probes, in the range of 1 to 25.

Examples

# Configure the device to perform three ARP blackhole route probes for each unresolved IP address.

<Sysname> system-view

[Sysname] arp resolving-route probe-count 3

arp resolving-route probe-interval

Use arp resolving-route probe-interval to set the interval at which the device probes ARP blackhole routes.

Use undo arp resolving-route probe-interval to remove the configuration.

Syntax

arp resolving-route probe-interval interval

undo arp resolving-route probe-interval

Default

The device probes ARP blackhole routes every 1 second.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

interval: Sets the probe interval in the range of 1 to 5 seconds.

Examples

# Configure the device to probe ARP blackhole routes every 3 seconds.

<Sysname> system-view

[Sysname] arp resolving-route probe-interval 3

arp source-suppression enable

Use arp source-suppression enable to enable the ARP source suppression feature.

Use undo arp source-suppression enable to restore the default.

Syntax

arp source-suppression enable

undo arp source-suppression enable

Default

The ARP source suppression feature is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Configure this feature on the gateways.

Examples

# Enable the ARP source suppression feature.

<Sysname> system-view

[Sysname] arp source-suppression enable

Related commands

display arp source-suppression

arp source-suppression limit

Use arp source-suppression limit to set the maximum number of unresolvable packets that can be processed per source IP address within 5 seconds.

Use undo arp source-suppression limit to restore the default.

Syntax

arp source-suppression limit limit-value

undo arp source-suppression limit

Default

The device can process a maximum of 10 unresolvable packets per source IP address within 5 seconds.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

limit-value: Specifies the limit in the range of 2 to 1024.

Usage guidelines

If unresolvable packets received from an IP address within 5 seconds exceed the limit, the device stops processing the packets from that IP address until the 5 seconds elapse.

Examples

# Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.

<Sysname> system-view

[Sysname] arp source-suppression limit 100

Related commands

display arp source-suppression

Use display arp source-suppression to display information about the current ARP source suppression configuration.

Syntax

display arp source-suppression

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Examples

# Display information about the current ARP source suppression configuration.

<Sysname> display arp source-suppression

ARP source suppression is enabled

Current suppression limit: 100

Table 1 Command output

Field	Description
Current suppression limit	Maximum number of unresolvable packets that can be received from a host in 5 seconds.

ARP packet rate limit commands

arp rate-limit

Use arp rate-limit to enable the ARP packet rate limit feature on an interface and specify a rate limit value. Exceeded packets are discarded.

Use undo arp rate-limit to disable the ARP packet rate limit feature on an interface.

Syntax

arp rate-limit [ pps ]

undo arp rate-limit

Default

The ARP packet rate limit feature is enabled on an interface.

The rate limit is 2000 pps for EC interface module LSQM1TGS12EC0, and the rate limit is 750 pps for other modules.

Views

Layer 2 Ethernet interface view, Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Parameters

pps: Specifies the upper limit for ARP packet rate in pps, in the range of 5 to 2000.

Usage guidelines

If you do not specify a value for the pps argument in the arp rate-limit command, the default rate limit value applies.

Examples

# Set the maximum ARP packet rate to 50 pps on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] arp rate-limit 50

arp rate-limit log enable

Use arp rate-limit log enable to enable logging for ARP packet rate limit.

Use undo arp rate-limit log enable to disable logging for ARP packet rate limit.

Syntax

arp rate-limit log enable

undo arp rate-limit log enable

Default

Logging for ARP packet rate limit is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

When logging for ARP packet rate limit is enabled, the device sends the highest threshold-crossed ARP packet rate within the sending interval in a log message to the information center. You can configure the information center module to set the log output rules. For more information about information center, see Network Management and Monitoring Configuration Guide.

Examples

# Enable logging for ARP packet rate limit.

<Sysname> system-view

[Sysname] arp rate-limit log enable

arp rate-limit log interval

Use arp rate-limit log interval to set the notification and log message sending interval for ARP packet rate limit.

Use undo arp rate-limit log interval to restore the default.

Syntax

arp rate-limit log interval seconds

undo arp rate-limit log interval

Default

The device sends notifications or log messages at an interval of 60 seconds when the rate of ARP packets received on an interface exceeds the limit.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

Seconds: Specifies an interval in the range of 1 to 86400 seconds.

Usage guidelines

The interval applies to both notification sending and log message sending.

To change the default interval and activate it, you must enable ARP packet rate limit and enable sending notifications or log messages for ARP packet rate limit.

Examples

# Set the device to send notifications and log messages at an interval of 120 seconds when the rate of ARP packets received on an interface exceeds the limit.

<Sysname> system-view

[Sysname] arp rate-limit log interval 120

Related commands

· arp rate-limit

· arp rate-limit log enable

· snmp-agent trap enable arp

snmp-agent trap enable arp

Use snmp-agent trap enable arp to enable sending notifications for ARP.

Use undo snmp-agent trap enable arp to disable sending notifications for ARP.

Syntax

snmp-agent trap enable arp [ rate-limit ]

undo snmp-agent trap enable arp [ rate-limit ]

Default

Notification sending for ARP is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

rate-limit: Specifies the ARP packet rate limit feature.

Usage guidelines

When notification sending for ARP is enabled, the device sends the highest threshold-crossed ARP packet rate within the sending interval in a notification to the SNMP module.

Use the command together with the snmp-agent target-host command. The snmp-agent target-host command specifies the notification type (inform or trap) and the destination host.

For more information about notifications, see Network Management and Monitoring Configuration Guide.

Examples

# Enable the device to send notifications for ARP packet rate limit.

<Sysname> system-view

[Sysname] snmp-agent trap enable arp rate-limit

Source MAC-based ARP attack detection commands

arp source-mac

Use arp source-mac to enable the source MAC-based ARP attack detection feature and specify a handling method.

Use undo arp source-mac to restore the default.

Syntax

arp source-mac { filter | monitor }

undo arp source-mac [ filter | monitor ]

Default

The source MAC-based ARP attack detection feature is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

filter: Generates log messages and discards subsequent ARP packets from the MAC address.

monitor: Only generates log messages.

Usage guidelines

Configure this feature on the gateways.

This feature checks the number of ARP packets delivered to the CPU. If the number of ARP packets from the same MAC address within 5 seconds exceeds a threshold, the device takes the preconfigured method to handle the attack.

Make sure you have enabled the ARP logging feature before enabling the source MAC-based ARP attack detection feature. For information about the ARP logging feature, see Layer 3—IP Services Configuration Guide.

If neither the filter nor the monitor keyword is specified in the undo arp source-mac command, both handling methods are disabled.

Examples

# Enable the source MAC-based ARP attack detection feature and specify the filter handling method.

<Sysname> system-view

[Sysname] arp source-mac filter

arp source-mac aging-time

Use arp source-mac aging-time to configure the aging time for ARP attack entries.

Use undo arp source-mac aging-time to restore the default.

Syntax

arp source-mac aging-time time

undo arp source-mac aging-time

Default

The aging time for ARP attack entries is set to 300 seconds (5 minutes).

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

time: Sets the aging time for ARP attack entries, in the range of 60 to 6000 seconds.

Examples

# Set the aging time for ARP attack entries to 60 seconds.

<Sysname> system-view

[Sysname] arp source-mac aging-time 60

arp source-mac exclude-mac

Use arp source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection.

Use undo arp source-mac exclude-mac to remove the excluded MAC addresses from source MAC-based ARP attack detection.

Syntax

arp source-mac exclude-mac mac-address&<1-n>

undo arp source-mac exclude-mac [ mac-address&<1-n> ]

Default

No MAC address is excluded from source MAC-based ARP attack detection.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

mac-address&<1-n>: MAC address list. The mac-address argument indicates an excluded MAC address in the format of H-H-H. &<1-n> indicates the number of excluded MAC addresses that you can configure. The value of the n argument is 1 to 10.

Usage guidelines

If you do not specify a MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses.

Examples

# Exclude a MAC address from source MAC-based ARP attack detection.

<Sysname> system-view

[Sysname] arp source-mac exclude-mac 2-2-2

arp source-mac threshold

Use arp source-mac threshold to configure the threshold for source MAC-based ARP attack detection. If the number of ARP packets sent from a MAC address within 5 seconds exceeds this threshold, the device recognizes this as an attack.

Use undo arp source-mac threshold to restore the default.

Syntax

arp source-mac threshold threshold-value

undo arp source-mac threshold

Default

The maximum number of ARP packets received from the same MAC address within 5 seconds is 30.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range is 1 to 5000.

Examples

# Set the threshold for source MAC-based ARP attack detection to 30.

<Sysname> system-view

[Sysname] arp source-mac threshold 30

display arp source-mac

Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP attack detection.

Syntax

In standalone mode:

display arp source-mac { slot slot-number | interface interface-type interface-number }

In IRF mode:

display arp source-mac { chassis chassis-number slot slot-number | interface interface-type interface number }

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device or specifies a PEX. The chassis-number argument represents the member ID of the IRF member device or the virtual chassis number of the PEX. The slot-number argument represents the slot number of the card or PEX. (In IRF mode.)

Examples

# Display the ARP attack entries detected by source MAC-based ARP attack detection.

<Sysname> display arp source-mac

Source-MAC VLAN ID Interface Aging-time

23f3-1122-3344 4094 GE1/0/1 10

23f3-1122-3355 4094 GE1/0/2 30

23f3-1122-33ff 4094 GE1/0/3 25

23f3-1122-33ad 4094 GE1/0/4 30

23f3-1122-33ce 4094 GE1/0/5 2

ARP packet source MAC consistency check commands

arp valid-check enable

Use arp valid-check enable to enable ARP packet source MAC address consistency check.

Use undo arp valid-check enable to disable ARP packet source MAC address consistency check.

Syntax

arp valid-check enable

undo arp valid-check enable

Default

ARP packet source MAC address consistency check is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Configure this feature on gateways. The gateways can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.

Examples

# Enable ARP packet source MAC address consistency check.

<Sysname> system-view

[Sysname] arp valid-check enable

ARP active acknowledgement commands

arp active-ack enable

Use arp active-ack enable to enable the ARP active acknowledgement feature.

Use undo arp active-ack enable to restore the default.

Syntax

arp active-ack [ strict ] enable

undo arp active-ack [ strict ] enable

Default

The ARP active acknowledgement feature is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

Strict: Enables strict mode for ARP active acknowledgement.

Usage guidelines

Configure this feature on gateways to prevent user spoofing.

In strict mode, a gateway learns an entry only when ARP active acknowledgement is successful based on the correct ARP resolution.

Examples

# Enable the ARP active acknowledgement feature.

<Sysname> system-view

[Sysname] arp active-ack enable

Authorized ARP commands

arp authorized enable

Use arp authorized enable to enable authorized ARP on an interface.

Use undo arp authorized enable to restore the default.

Syntax

arp authorized enable

undo arp authorized enable

Default

Authorized ARP is disabled on the interface.

Views

Layer 3 Ethernet interface view

Layer 3 aggregate interface view

VLAN interface view

Predefined user roles

network-admin

mdc-admin

Examples

# Enable authorized ARP on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port link-mode route

[Sysname-GigabitEthernet1/0/1] arp authorized enable

ARP detection commands

arp detection rule

Use arp detection rule to configure a user validity check rule.

Use undo arp detection rule to restore the default.

Syntax

arp detection rule rule-id { deny | permit } ip { any | ip-address [ ip-address-mask ] } mac { any | mac-address [ mac-address-mask ] } [ vlan vlan-id ]

undo arp detection rule [ rule-id ]

Default

No user validity check rule is configured.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

rule-id: Assigns an ID to the user validity check rule. The ID value range is 0 to 511. A smaller value represents a higher priority.

deny: Denies matching ARP packets.

permit: Permits matching ARP packets.

ip { any | ip-address [ ip-address-mask ] }: Specifies the sender IP address as the match criterion.

· any: Matches any IP address.

· ip-address: Specifies an IP address.

· ip-address-mask: Specifies the mask for the IP address.

mac { any | mac-address [ mac-address-mask ] }: Specifies the sender MAC address as the match criterion.

· any: Matches any MAC address.

· mac-address: Specifies a MAC address in the H-H-H format.

· mac-address-mask: Specifies the MAC address mask in the H-H-H format.

vlan vlan-id: Specifies the ID of a VLAN to which the specified rule applies. The value range for the VLAN ID is 1 to 4094.

Usage guidelines

The device checks user validity upon receiving an ARP packet from an ARP untrusted interface as follows:

1. Uses the user validity check rules to match the sender IP and MAC addresses of the ARP packet.

¡ If a match is found, the device processes the ARP packet according to the rule.

¡ If no match is found, proceeds to step 2.

2. Uses static IP source guard bindings, DHCP snooping entries, and 802.1X security entries to match the sender IP and MAC addresses of the ARP packet.

¡ If a match is found, the device forwards the ARP packet.

¡ If no match is found, the device discards the ARP packet.

Examples

# Configure a user validity check rule.

<Sysname> system-view

[Sysname] arp detection rule 0 permit ip 10.1.1.1 255.255.0.0 mac 0001-0203-0607 ffff-ffff-0000

arp detection enable

Use arp detection enable to enable ARP detection.

Use undo arp detection enable to restore the default.

Syntax

arp detection enable

undo arp detection enable

Default

ARP detection is disabled.

Views

VLAN view

Predefined user roles

network-admin

mdc-admin

Examples

# Enable ARP detection for VLAN 2.

<Sysname> system-view

[Sysname] vlan 2

[Sysname-vlan2] arp detection enable

arp detection log enable

Use arp detection log enable to enable ARP detection logging.

Use undo arp detection log enable to disable ARP detection logging.

Syntax

arp detection log enable

undo arp detection log enable

Default

ARP detection logging is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Examples

# Enable ARP detection logging.

<Sysname> system-view

[Sysname] arp detection log enable

arp detection trust

Use arp detection trust to configure an interface as an ARP trusted interface.

Use undo arp detection trust to restore the default.

Syntax

arp detection trust

undo arp detection trust

Default

An interface is an ARP untrusted interface.

Views

Layer 2 Ethernet interface view, Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Examples

# Configure GigabitEthernet 1/0/1 as an ARP trusted interface.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] arp detection trust

arp detection validate

Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line.

Use undo arp detection validate to disable ARP packet validity check. If no keyword is specified, this command deletes all objects.

Syntax

arp detection validate { dst-mac | ip | src-mac } *

undo arp detection validate [ dst-mac | ip | src-mac ] *

Default

ARP packet validity check is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.

ip: Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP requests. All-one or multicast IP addresses are considered invalid and the corresponding packets are discarded.

src-mac: Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded.

Examples

# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.

<Sysname> system-view

[Sysname] arp detection validate dst-mac src-mac ip

arp restricted-forwarding enable

Use arp restricted-forwarding enable to enable ARP restricted forwarding.

Use undo arp restricted-forwarding enable to disable ARP restricted forwarding.

Syntax

arp restricted-forwarding enable

undo arp restricted-forwarding enable

Default

ARP restricted forwarding is disabled.

Views

VLAN view

Predefined user roles

network-admin

mdc-admin

Examples

# Enable ARP restricted forwarding in VLAN 2.

<Sysname> system-view

[Sysname] vlan 2

[Sysname-vlan2] arp restricted-forwarding enable

display arp detection

Use display arp detection to display the VLANs enabled with ARP detection.

Syntax

display arp detection

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Examples

# Display the VLANs enabled with ARP detection.

<Sysname> display arp detection

ARP detection is enabled in the following VLANs:

1-2, 4-5

Related commands

arp detection enable

display arp detection statistics

Use display arp detection statistics to display ARP detection statistics.

Syntax

display arp detection statistics [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

interface interface-type interface-number: Displays the ARP detection statistics of an interface.

Usage guidelines

This command displays numbers of packets discarded by user validity check and ARP packet validity check. If you do not specify an interface, the command displays statistics for all interfaces.

Examples

# Display the ARP detection statistics for all interfaces.

<Sysname> display arp detection statistics

State: U-Untrusted T-Trusted

ARP packets dropped by ARP inspect checking:

Interface(State) IP Src-MAC Dst-MAC Inspect

GE1/0/1(U) 40 0 0 78

GE1/0/2(U) 0 0 0 0

GE1/0/3(T) 0 0 0 0

GE1/0/4(U) 0 0 30 0

Table 2 Command output

Field	Description
State	State of an interface: · U—ARP untrusted interface. · T—ARP trusted interface.
Interface(State)	Inbound interface of ARP packets. State specifies the port state, trusted or untrusted.
IP	Number of ARP packets discarded due to invalid sender and target IP addresses.
Src-MAC	Number of ARP packets discarded due to invalid source MAC address.
Dst-MAC	Number of ARP packets discarded due to invalid destination MAC address.
Inspect	Number of ARP packets failed to pass user validity check.

reset arp detection statistics

Use reset arp detection statistics to clear ARP detection statistics.

Syntax

reset arp detection statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

interface interface-type interface-number: Clears the ARP detection statistics of an interface.

Usage guidelines

If you do not specify an interface, the command clears the statistics of all interfaces.

Examples

# Clear the ARP detection statistics of all interfaces.

<Sysname> reset arp detection statistics

ARP scanning and fixed ARP commands

arp fixup

Use arp fixup to convert existing dynamic ARP entries to static ARP entries.

Syntax

arp fixup

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The ARP conversion is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.

The static ARP entries converted from dynamic ARP entries have the same attributes as the manually configured static ARP entries. Due to the device's limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.

The static ARP entries after conversion can include the following entries:

· Existing dynamic and static ARP entries before conversion.

· New dynamic ARP entries learned during the conversion.

Dynamic ARP entries that are aged out during the conversion are not converted to static ARP entries.

To delete a static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command.

Examples

# Enable fixed ARP.

<Sysname> system-view

[Sysname] arp fixup

arp scan

Use arp scan to trigger an ARP scanning in an address range.

Syntax

arp scan [ start-ip-address to end-ip-address ]

Views

Layer 3 Ethernet interface view

Layer 3 aggregate interface view

VLAN interface view

Predefined user roles

network-admin

mdc-admin

Parameters

start-ip-address: Specifies the start IP address of the scanning range.

end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.

Usage guidelines

ARP scanning automatically creates ARP entries for devices in the specified address range. IP addresses already in existing ARP entries are not scanned.

If the interface's primary and secondary IP addresses are in the address range, the sender IP address in the ARP request is the address on the smallest network segment.

If no address range is specified, the device learns ARP entries for devices on the subnet where the primary IP address of the interface resides. The sender IP address in the ARP requests is the primary IP address of the interface.

The start and end IP addresses must be on the same subnet as the primary IP address or secondary IP addresses of the interface.

ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.

Examples

# Configure the device to scan the neighbors on the network where the primary IP address of VLAN-interface 2 resides.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] arp scan

# Configure the device to scan neighbors in an address range.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] arp scan 1.1.1.1 to 1.1.1.20

ARP gateway protection commands

arp filter source

Use arp filter source to enable ARP gateway protection for a gateway.

Use undo arp filter source to disable ARP gateway protection for a gateway.

Syntax

arp filter source ip-address

undo arp filter source ip-address

Default

ARP gateway protection is disabled.

Views

Layer 2 Ethernet interface view, Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Parameters

ip-address: Specifies the IP address of a protected gateway.

Usage guidelines

You can enable ARP gateway protection for a maximum of eight gateways on an interface.

You cannot configure both arp filter source and arp filter binding commands on the same interface.

Examples

# Enable ARP gateway protection for the gateway with IP address 1.1.1.1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] arp filter source 1.1.1.1

ARP filtering commands

arp filter binding

Use arp filter binding to configure an ARP permitted entry. If the sender IP and MAC addresses of an ARP packet match an ARP permitted entry, the ARP packet is permitted. If not, it is discarded.

Use undo arp filter binding to remove an ARP permitted entry.

Syntax

arp filter binding ip-address mac-address

undo arp filter binding ip-address

Default

No ARP permitted entry is configured.

Views

Layer 2 Ethernet interface view, Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Parameters

ip-address: Specifies a permitted sender IP address.

mac-address: Specifies a permitted sender MAC address.

Usage guidelines

You can configure a maximum of eight ARP permitted entries on an interface.

You cannot configure both the arp filter source and arp filter binding commands on the same interface.

Examples

# Configure an ARP permitted entry.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] arp filter binding 1.1.1.1 2-2-2

ARP packet sender IP address checking commands

arp sender-ip-range

Use arp sender-ip-range to specify the sender IP address range for checking ARP packets.

Use undo arp sender-ip-range to restore the default.

Syntax

arp sender-ip-range start-ip-address end-ip-address

undo arp sender-ip-range

Default

No sender IP address range is specified for checking ARP packets.

Views

VLAN view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IP address.

end-ip-address: Specifies the end IP address. The end IP address must be higher than or equal to the start IP address.

Usage guidelines

The gateway discards an ARP packet if its sender IP address is not within the allowed IP address range.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the sender IP address range 1.1.1.1 to 1.1.1.20 for checking ARP packets in VLAN 2.

<Sysname> system-view

[Sysname] vlan 2

[Sysname–vlan2] arp sender-ip-range 1.1.1.1 1.1.1.20

10-Security Command Reference

display arp source-suppression

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us