Use arp source-suppression limit to set the maximum number of unresolvable IP packets that can be received from a device in 5 seconds. Unresolvable IP packets refer to packets that cannot be resolved by ARP.

Use undo arp source-suppression limit to restore the default value, which is 10.

Syntax

arp source-suppression limit limit-value

undo arp source-suppression limit

Views

System view

Default command level

2: System level

Parameters

limit-value: Sets the maximum number of unresolvable packets that can be received from a host in 5 seconds. The value range is 2 to 1024.

Usage guidelines

If the number of unresolvable packets from a host within 5 seconds exceeds the specified threshold, the device stops resolving packets from the host until the 5 seconds elapse.

Examples

# Allow the device to receive a maximum of 100 unresolvable packets from a host in 5 seconds.

<Sysname> system-view

[Sysname] arp source-suppression limit 100

Related commands

display arp source-suppression

Use display arp source-suppression to display information about the current ARP source suppression configuration.

Syntax

display arp source-suppression [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

2: System level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about the current ARP source suppression configuration.

<Sysname> display arp source-suppression

ARP source suppression is enabled

Current suppression limit: 100

Current cache length: 16

Table 1 Command output

Field	Description
Current suppression limit	Maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in 5 seconds.
Current cache length	Size of cache used to record source suppression information.

ARP packet rate limit configuration commands

arp rate-limit

Use arp rate-limit to configure or disable ARP packet rate limit on an interface.

Use undo arp rate-limit to restore the default.

Syntax

arp rate-limit { disable | rate pps drop }

undo arp rate-limit

Default

ARP packet rate limit is disabled.

Views

Layer 2 Ethernet interface view, Layer 2 aggregate interface view, WLAN-ESS interface view

Default command level

2: System level

Parameters

disable: Disables ARP packet rate limit.

rate pps: Specifies the upper limit for ARP packet rate in pps, in the range of 5 to 3072.

drop: Discards the exceeded packets.

Examples

# Set the maximum ARP packet rate to 50 pps on GigabitEthernet 1/0/1, and configure the interface to discard exceeded packets.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] arp rate-limit rate 50 drop

Source MAC-based ARP attack detection configuration commands

arp anti-attack source-mac

Use arp anti-attack source-mac to enable the source MAC-based ARP attack detection feature and specify a handling method.

Use undo arp anti-attack source-mac to restore the default.

Syntax

arp anti-attack source-mac { filter | monitor }

undo arp anti-attack source-mac [ filter | monitor ]

Default

Source MAC-based ARP attack detection is disabled.

Views

System view

Default command level

2: System level

Parameters

filter: Generates log messages and discards subsequent ARP packets from the MAC address.

monitor: Only generates log messages.

Usage guidelines

This feature enables the device to check the source MAC address of ARP packets received from the same MAC address within 5 seconds against a specific threshold. If the threshold is exceeded, the device takes the preconfigured method to handle the attack.

If neither the filter nor the monitor keyword is specified in the undo arp anti-attack source-mac command, both handling methods are disabled.

Examples

# Enable the source MAC-based ARP attack detection and specify the filter handling method.

<Sysname> system-view

[Sysname] arp anti-attack source-mac filter

arp anti-attack source-mac aging-time

Use arp anti-attack source-mac aging-time to set the aging time for source MAC-based ARP attack detection entries.

Use undo arp anti-attack source-mac aging-time to restore the default.

Syntax

arp anti-attack source-mac aging-time time

undo arp anti-attack source-mac aging-time

Default

The aging time for ARP attack entries is 300 seconds (5 minutes).

Views

System view

Default command level

2: System level

Parameters

time: Specifies the aging time for ARP attack entries, in the range of 60 to 6000 seconds.

Examples

# Set the aging time to 60 seconds for ARP attack entries.

<Sysname> system-view

[Sysname] arp anti-attack source-mac aging-time 60

arp anti-attack source-mac exclude-mac

Use arp anti-attack source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection.

Use undo arp anti-attack source-mac exclude-mac to remove the specified MAC addresses.

Syntax

arp anti-attack source-mac exclude-mac mac-address&<1-10>

undo arp anti-attack source-mac exclude-mac [ mac-address&<1-10> ]

Default

No MAC address is excluded from source MAC-based ARP attack detection.

Views

System view

Default command level

2: System level

Parameters

mac-address&<1-10>: Specifies the MAC address list. The mac-address argument indicates an excluded MAC address in the format H-H-H. &<1-10> indicates the number of MAC addresses that you can exclude.

Usage guidelines

If you do not specify any MAC address in the undo arp anti-attack source-mac exclude-mac command, this command removes all excluded MAC addresses.

Examples

# Exclude a MAC address from source MAC-based ARP attack detection.

<Sysname> system-view

[Sysname] arp anti-attack source-mac exclude-mac 2-2-2

arp anti-attack source-mac threshold

Use arp anti-attack source-mac threshold to set the threshold for source MAC-based ARP attack detection. If the number of ARP packets from a MAC address within 5 seconds exceeds this threshold, the device recognizes this as an attack.

Use undo arp anti-attack source-mac threshold to restore the default.

Syntax

arp anti-attack source-mac threshold threshold-value

undo arp anti-attack source-mac threshold

Default

The threshold for source MAC-based ARP attack detection is 50.

Views

System view

Default command level

2: System level

Parameters

threshold-value: Specifies the threshold for source MAC-based ARP attack detection, in the range of 10 to 100.

Examples

# Set the threshold to 30 for source MAC-based ARP attack detection.

<Sysname> system-view

[Sysname] arp anti-attack source-mac threshold 30

display arp anti-attack source-mac

Use display arp anti-attack source-mac to display ARP attack entries detected by source MAC-based ARP attack detection.

Syntax

display arp anti-attack source-mac [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

interface interface-type interface-number: Displays ARP attack entries detected on the interface.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any interface, the display arp anti-attack source-mac command displays ARP attack entries detected on all interfaces.

Examples

# Display ARP attack entries detected by source MAC-based ARP attack detection.

<Sysname> display arp anti-attack source-mac

Source-MAC VLAN ID Interface Aging-time

23f3-1122-3344 4094 GE1/0/1 10

23f3-1122-3355 4094 GE1/0/2 30

ARP packet source MAC consistency check configuration commands

arp anti-attack valid-ack enable

Use arp anti-attack valid-check enable to enable ARP packet source MAC address consistency check on the gateway.

Use undo arp anti-attack valid-check enable to restore the default.

Syntax

arp anti-attack valid-check enable

undo arp anti-attack valid-check enable

Default

ARP packet source MAC address consistency check is disabled.

Views

System view

Default command level

2: System level

Usage guidelines

After you execute the arp anti-attack valid-check enable command, the gateway device can filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message.

Examples

# Enable ARP packet source MAC address consistency check.

<Sysname> system-view

[Sysname] arp anti-attack valid-check enable

ARP active acknowledgement configuration commands

arp anti-attack active-ack enable

Use arp anti-attack active-ack enable to enable the ARP active acknowledgement feature.

Use undo arp anti-attack active-ack enable to restore the default.

Syntax

arp anti-attack active-ack enable

undo arp anti-attack active-ack enable

Default

The ARP active acknowledgement feature is disabled.

Views

System view

Default command level

2: System level

Usage guidelines

This feature is configured on gateway devices to identify invalid ARP packets.

Examples

# Enable the ARP active acknowledgement feature.

<Sysname> system-view

[Sysname] arp anti-attack active-ack enable

Authorized ARP configuration commands

This feature is supported only on VLAN interfaces.

arp authorized enable

Use arp authorized enable to enable authorized ARP on an interface.

Use undo arp authorized enable to restore the default.

Syntax

arp authorized enable

undo arp authorized enable

Default

Authorized ARP is not enabled on the interface.

Views

VLAN interface view

Default command level

2: System level

Examples

# Enable authorized ARP on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface Vlan-interface 2

[Sysname-Vlan-interface2] arp authorized enable

ARP detection configuration commands

arp detection

Use arp detection to configure a user validity check rule.

Use undo arp detection to restore the default.

Syntax

arp detection id-number { deny | permit } ip { any | ip-address [ ip-address-mask ] } mac { any | mac-address [ mac-address-mask ] } [ vlan vlan-id ]

undo arp detection id-number

Default

No user validity check rule is specified.

Views

System view

Default command level

2: System level

Parameters

id-number: Specifies the sequence number of the user validity check rule, in the range of 0 to 511. The smaller the value, the higher the priority.

deny: Denies the matching ARP packets.

permit: Permits the matching ARP packets.

ip { any | ip-address [ ip-address-mask ] }: Specifies the sender IP address range.

· any: Matches any sender IP address.

· ip-address: Matches a sender IP address.

· ip-address-mask: Specifies the mask for the sender IP address in dotted decimal format. If no mask is specified, the ip-address argument specifies a host IP address.

mac { any | mac-address [ mac-address-mask ] }: Specifies the sender MAC address range.

· any: Matches any sender MAC address.

· mac-address: Matches a sender MAC address, in the format of H-H-H.

· mac-address-mask: Specifies the mask for the sender MAC address, in the format of H-H-H.

· vlan vlan-id: Specifies the ID of a VLAN where this rule applies, in the range of 1 to 4094.

Usage guidelines

Upon receiving an ARP packet, user validity check first compares the sender IP and MAC addresses of the ARP packet against user validity check rules. If a matching rule is found, the ARP packet is processed according to the rule. If no matching rule is found, the device compares the ARP packet's sender IP and MAC addresses against the DHCP snooping entries and 802.1X security entries.

Examples

# Configure a user validity check rule, and enable user validity check.

<Sysname> system-view

[Sysname] arp detection 0 permit ip 10.1.1.1 255.255.0.0 mac 0001-0203-0607 ffff-ffff-0000

[Sysname] vlan 2

[Sysname-vlan2] arp detection enable

Related commands

arp detection enable

Use arp detection enable to enable ARP detection.

Use undo arp detection enable to restore the default.

Syntax

arp detection enable

undo arp detection enable

Default

ARP detection is disabled.

Views

VLAN view

Default command level

2: System level

Examples

# Enable ARP detection for VLAN 2.

<Sysname> system-view

[Sysname] vlan 2

[Sysname-Vlan2] arp detection enable

arp detection trust

Use arp detection trust to configure the port as an ARP trusted port.

Use undo arp detection trust to restore the default.

Syntax

arp detection trust

undo arp detection trust

Default

The port is an ARP untrusted port.

Views

Layer 2 Ethernet interface view, Layer 2 aggregate interface view, WLAN-ESS interface view

Default command level

2: System level

Examples

# Configure GigabitEthernet 1/0/1 as an ARP trusted port.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] arp detection trust

arp detection validate

Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line.

Use undo arp detection validate to disable ARP packet validity check. If you do not specify any keyword, this command deletes all objects.

Syntax

arp detection validate { dst-mac | ip | src-mac } *

undo arp detection validate [ dst-mac | ip | src-mac ] *

Default

ARP packet validity check is disabled.

Views

System view

Default command level

2: System level

Parameters

dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.

ip: Checks the source and destination IP addresses of ARP packets. The all-zero, all-one, or multicast IP addresses are considered invalid and the corresponding packets are discarded. With this keyword specified, the source and destination IP addresses of ARP replies, and the source IP address of ARP requests are checked.

src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source MAC address in the Ethernet header. If they are identical, the packet is considered valid. Otherwise, the packet is discarded.

Examples

# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.

<Sysname> system-view

[Sysname] arp detection validate dst-mac src-mac ip

arp restricted-forwarding enable

Use arp restricted-forwarding enable to enable ARP restricted forwarding.

Use undo arp restricted-forwarding enable to disable ARP restricted forwarding.

Syntax

arp restricted-forwarding enable

undo arp restricted-forwarding enable

Default

ARP restricted forwarding is disabled.

Views

VLAN view

Default command level

2: System level

Examples

# Enable ARP restricted forwarding in VLAN 1.

<Sysname> system-view

[Sysname] vlan 1

[Sysname-vlan1] arp restricted-forwarding enable

display arp detection

Use display arp detection to display the VLANs enabled with ARP detection.

Syntax

display arp detection [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display the VLANs enabled with ARP detection.

<Sysname> display arp detection

ARP detection is enabled in the following VLANs:

1, 2, 4-5

Related commands

arp detection enable

display arp detection statistics

Use display arp detection statistics to display statistics about ARP detection. This command only displays numbers of discarded packets. If you do not specify any interface, this command displays the statistics of all interfaces.

Syntax

display arp detection statistics [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

interface interface-type interface-number: Displays the ARP detection statistics of an interface.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display the ARP detection statistics of all interfaces.

<Sysname> display arp detection statistics

State: U-Untrusted T-Trusted

ARP packets dropped by ARP inspect checking:

Interface(State) IP Src-MAC Dst-MAC Inspect

GE1/0/1(U) 40 0 0 78

GE1/0/2(U) 0 0 0 0

Table 2 Command output

Field	Description
Interface(State)	State T or U identifies a trusted or untrusted port.
IP	Number of ARP packets discarded due to invalid source and destination IP addresses.
Src-MAC	Number of ARP packets discarded due to invalid source MAC address.
Dst-MAC	Number of ARP packets discarded due to invalid destination MAC address.
Inspect	Number of ARP packets that failed to pass ARP detection (based on static DHCP snooping entries and 802.1X security entries).

reset arp detection statistics

Use reset arp detection statistics to clear ARP detection statistics of an interface. If you do not specify any interface, this command clears the statistics of all interfaces.

Syntax

reset arp detection statistics [ interface interface-type interface-number ]

Views

User view

Default command level

1: Monitor level

Parameters

interface interface-type interface-number: Clears the ARP detection statistics of an interface.

Examples

# Clear the ARP detection statistics of all interfaces.

<Sysname> reset arp detection statistics

ARP gateway protection configuration commands

arp filter source

Use arp filter source to enable ARP gateway protection for a gateway.

Use undo arp filter source to disable ARP gateway protection for a gateway.

Syntax

arp filter source ip-address

undo arp filter source ip-address

Default

ARP gateway protection is disabled.

Views

Layer 2 Ethernet interface view, Layer 2 aggregate interface view, WLAN-ESS interface view

Default command level

2: System level

Parameters

ip-address: Specifies the IP address of a protected gateway.

Usage guidelines

You can enable ARP gateway protection for up to eight gateways on a port.

You cannot configure both arp filter source and arp filter binding commands on a port.

Examples

# Enable ARP gateway protection for the gateway at 1.1.1.1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] arp filter source 1.1.1.1

ARP filtering configuration commands

arp filter binding

Use arp filter binding to configure an ARP filtering entry. If the sender IP and MAC addresses of an ARP packet match an ARP filtering entry, the ARP packet is permitted. If not, it is discarded.

Use undo arp filter binding to remove an ARP filtering entry.

Syntax

arp filter binding ip-address mac-address

undo arp filter binding ip-address

Default

No ARP filtering entry is configured.

Views

Layer 2 Ethernet interface view, Layer 2 aggregate interface view, WLAN-ESS interface view

Default command level

2: System level

Parameters

ip-address: Specifies a permitted sender IP address.

mac-address: Specifies a permitted sender MAC address.

Usage guidelines

You can configure up to eight ARP filtering entries on a port.

You cannot configure both arp filter source and arp filter binding commands on a port.

Examples

# Configure an ARP filtering entry with permitted sender IP address 1.1.1.1 and MAC address 2-2-2.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] arp filter binding 1.1.1.1 2-2-2

07-Security Command Reference

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us