If unresolvable packets received from an IP address within 5 seconds exceed the limit, the device stops processing the packets from that IP address until the 5 seconds elapse.

Examples

# Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.

<Sysname> system-view

[Sysname] arp source-suppression limit 100

Related commands

display arp source-suppression

Use display arp source-suppression to display information about the current ARP source suppression configuration.

Syntax

display arp source-suppression

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about the current ARP source suppression configuration.

<Sysname> display arp source-suppression

ARP source suppression is enabled

Current suppression limit: 100

Table 1 Command output

Field	Description
Current suppression limit	Maximum number of unresolvable packets that can be processed per source IP address within 5 seconds.

Source MAC-based ARP attack detection commands

arp source-mac

Use arp source-mac to enable the source MAC-based ARP attack detection feature and specify a handling method.

Use undo arp source-mac to disable the source MAC-based ARP attack detection feature.

Syntax

arp source-mac { filter | monitor }

undo arp source-mac [ filter | monitor ]

Default

The source MAC-based ARP attack detection feature is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

filter: Specifies the filter handling method.

monitor: Specifies the monitor handling method.

Usage guidelines

Configure this feature on the gateways.

This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within the check interval exceeds a threshold, the device generates an ARP attack entry for the MAC address. Before the entry ages out, the device handles the attack by using either of the following methods:

· Monitor—Only generates log messages.

· Filter—Generates log messages and filters out subsequent ARP packets from the MAC address.

Make sure you have enabled the ARP logging feature before enabling the source MAC-based ARP attack detection feature. For information about the ARP logging feature, see Layer 3—IP Services Configuration Guide.

If you do not specify any handling method in the undo arp source-mac command, the command disables this feature.

Examples

# Enable the source MAC-based ARP attack detection feature and specify the filter handling method.

<Sysname> system-view

[Sysname] arp source-mac filter

arp source-mac aging-time

Use arp source-mac aging-time to set the aging time for ARP attack entries.

Use undo arp source-mac aging-time to restore the default.

Syntax

arp source-mac aging-time time

undo arp source-mac aging-time

Default

The aging time for ARP attack entries is 300 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time: Sets the aging time for ARP attack entries, in the range of 60 to 6000 seconds.

Examples

# Set the aging time for ARP attack entries to 60 seconds.

<Sysname> system-view

[Sysname] arp source-mac aging-time 60

arp source-mac check-interval

Use arp source-mac check-interval to set the check interval for source MAC-based ARP attack detection.

Use undo arp source-mac check-interval to restore the default.

Syntax

arp source-mac check-interval interval

undo arp source-mac check-interval

Default

The check interval for source MAC-based ARP attack detection is 5 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the check interval in seconds. The value range is 5 to 60.

Usage guidelines

The source MAC-based ARP attack detection feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within the check interval exceeds the threshold, the device generates an ARP attack entry for the MAC address.

If attacks occur frequently in your network, set a short check interval so that source MAC-based ARP attacks can be detected in a timely manner. If attacks seldom occur, you can set a long check interval.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the check interval for source MAC-based ARP attack detection to 30 seconds.

<Sysname> system-view

[Sysname] arp source-mac check-interval 30

Related commands

arp source-mac

display arp source-mac configuration

arp source-mac exclude-mac

Use arp source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection.

Use undo arp source-mac exclude-mac to remove the excluded MAC addresses from source MAC-based ARP attack detection.

Syntax

arp source-mac exclude-mac mac-address&<1-64>

undo arp source-mac exclude-mac [ mac-address&<1-64> ]

Default

No MAC addresses are excluded from source MAC-based ARP attack detection.

Views

System view

Predefined user roles

network-admin

Parameters

mac-address&<1-64>: Specifies a MAC address list. The mac-address argument indicates an excluded MAC address in the format of H-H-H. &<1-64> indicates that you can configure a maximum of 64 excluded MAC addresses.

Usage guidelines

If you do not specify a MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses.

Examples

# Exclude a MAC address from source MAC-based ARP attack detection.

<Sysname> system-view

[Sysname] arp source-mac exclude-mac 001e-1200-0213

arp source-mac threshold

Use arp source-mac threshold to set the threshold for source MAC-based ARP attack detection. If the number of ARP packets sent from a MAC address within the check interval exceeds this threshold, the device recognizes this as an attack.

Use undo arp source-mac threshold to restore the default.

Syntax

arp source-mac threshold threshold-value

undo arp source-mac threshold

Default

The threshold for source MAC-based ARP attack detection is 30.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range for this argument is 1 to 5000.

Examples

# Set the threshold for source MAC-based ARP attack detection to 30.

<Sysname> system-view

[Sysname] arp source-mac threshold 30

display arp source-mac

Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP attack detection.

Syntax

In standalone mode:

display arp source-mac interface interface-type interface-number [ slot slot-number ] [ verbose ]

display arp source-mac { mac mac-address | vlan vlan-id } slot slot-number [ verbose ]

display arp source-mac slot slot-number [ count | verbose ]

In IRF mode:

display arp source-mac interface interface-type interface-number

[ chassis chassis-number slot slot-number ] [ verbose ]

display arp source-mac { mac mac-address | vlan vlan-id } chassis chassis-number slot slot-number [ verbose ]

display arp source-mac chassis chassis-number slot slot-number [ count | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays ARP attack entries for all interfaces.

slot slot-number: Displays the ARP attack entries detected by the physical interfaces that reside on the specified card and belong to the specified virtual interface. If you do not specify a card, this command displays entries detected by the physical interfaces that reside on the active MPUs and belong to the specified virtual interface. (In standalone mode.)

chassis chassis-number slot slot-number: Displays the ARP attack entries detected by the physical interfaces that reside on the specified slot and belong to the virtual interface. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries detected by the physical interfaces that reside on the global active MPU and belong to the virtual interface. (In IRF mode.)

mac mac-address: Displays the ARP attack entry for the specified MAC address. The MAC address format is H-H-H.

vlan vlan-id: Displays the source MAC-based ARP attack entry for the specified VLAN. The VLAN ID is in the range of 1 to 4094.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ARP attack entries for the active MPU. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays ARP attack entries for the global active MPU. (In IRF mode.)

verbose: Displays the detailed information about source MAC-based ARP attack entries. If you do not specify this keyword, this command displays the brief information about the source MAC-based ARP attack entries.

count: Displays the number of ARP attack entries detected by source MAC-based ARP attack detection. If you do not specify this keyword, the command displays ARP attack entries detected by source MAC-based ARP attack detection.

Usage guidelines

(In standalone mode.) The slot slot-number option is supported only when the interface interface-type interface-number option specifies a virtual interface.

(In IRF mode.) The chassis chassis-number slot slot-number options are supported only when the interface interface-type interface-number option specifies a virtual interface.

Virtual interfaces can be Layer 2 aggregate interfaces, Layer 3 aggregate interfaces, Layer 3 aggregate subinterfaces, and VXLAN VSI interface.

If you do not specify any parameters, the command displays all ARP attack entries.

Examples

# Display the ARP attack entries detected by source MAC-based ARP attack detection on GigabitEthernet 3/1/1.

<Sysname> display arp source-mac interface gigabitethernet 3/1/1

Source MAC VLAN ID Interface Aging time (sec) Packets dropped

23f3-1122-3344 4094 GE3/1/1 10

# Display the number of ARP attack entries detected by source MAC-based ARP attack detection on slot 3.

<Sysname> display arp source-mac slot 3 count

Total source MAC-based ARP attack detection entries: 1

# Display the detailed information about ARP attack entries detected by source MAC-based ARP attack detection on GigabitEthernet 3/1/1.

<Sysname> display arp source-mac interface gigabitethernet 3/1/1 verbose

Source MAC: 0001-0001-0001

VLAN ID: 4094

Hardware status: Succeeded

Aging time: 10 seconds

Interface: GigabitEthernet3/1/1

Attack time: 2018/06/04 15:53:34

Packets dropped: 18446744073709551615

Table 2 Command output

Field	Description
Source MAC	Source MA address in the source MAC-based ARP attack entry.
VLAN ID	ID of the VLAN where the source MAC-based ARP attack is detected.
Interface	Interface where the source MAC-based ARP attack is detected.
Aging time	Remaining lifetime of the source MAC-based ARP attack entry, in seconds.
Packets dropped	Total number of packets dropped by source MAC-based ARP attack detection. If the packets dropped by source MAC-based ARP attack occurs on a Layer 2 Ethernet interface, packet drop statistics is not calculated and this field displays 1.
Total source MAC-based ARP attack detection entries	Total number of source MAC-based ARP attack entries.
Hardware status	Status of the source MAC-based ARP attack entry setting to hardware: · Succeeded · Failed · Not supported · Not enough resources
Attack time	Time when the source MAC-based ARP attack is detected. The formation of the time is YYYY/MM/DD HH:MM:SS.

Related commands

reset arp source-mac

reset arp source-mac statistics

display arp source-mac configuration

Use display arp source-mac configuration to display the configuration of source MAC-based ARP attack detection.

Syntax

display arp source-mac configuration

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of source MAC-based ARP attack detection.

<Sysname> display arp source-mac configuration

ARP source-mac is enabled.

Mode: Filter Check interval: 5 seconds

Threshold: 20 Aging time: 300 seconds

<Sysname> display arp source-mac configuration

ARP source-mac is disabled.

Table 3 Command output

Field	Description
ARP source-mac is enabled.	The source MAC-based ARP attack detection is enabled.
ARP source-mac is disabled.	The source MAC-based ARP attack detection is disabled.
Mode	Source MAC-based ARP attack detection mode: · Filter. · Monitor.
Check interval	Check interval of the source MAC-based ARP attack detection, in seconds.
Threshold	Threshold for source MAC-based ARP attack detection.
Aging time	Aging time of the source MAC-based ARP attack entry, in seconds.

Related commands

arp source-mac

arp source-mac aging-time

arp source-mac check-interval

arp source-mac exclude-mac

arp source-mac threshold

display arp source-mac statistics

Use display arp source-mac statistics to display statistics for packets dropped by source MAC-based ARP attack detection.

Syntax

In standalone mode:

display arp source-mac statistics slot slot-number

In IRF mode:

display arp source-mac statistics chassis chassis-number slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

Usage guidelines

This command is supported only on CSPEX cards (excluding CSPEX-1204 and CSPEX-1104-E cards).

Examples

# Display statistics for packets dropped by source MAC-based ARP attack detection on slot 3.

<Sysname> display arp source-mac statistics slot 3

Dropped ARP packets:123321

Table 4 Command output

Field	Description
Dropped ARP packets	Number of packets dropped by source MAC-based ARP attack detection.

Related commands

arp source-mac

reset arp source-mac

Use reset arp source-mac to delete source MAC-based ARP attack entries.

Syntax

In standalone mode:

reset arp source-mac [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ slot slot-number ]

In IRF mode:

reset arp source-mac [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Deletes the source MAC-based ARP attack entries detected on the specified interface. The interface-type interface-number arguments specify an interface by its type and number.

mac mac-address: Deletes the source MAC-based ARP attack entry for the specified MAC address. The MAC address format is H-H-H.

vlan vlan-id: Deletes the source MAC-based ARP attack entry for the specified VLAN. The value range for the vlan-id argument is 1 to 4094.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

Usage guidelines

If you do not specify any parameter, the command deletes all source MAC-based ARP attack entries on the device.

Examples

# Delete all source MAC-based ARP attack entries on the device.

<Sysname> reset arp source-mac

Related commands

display arp source-mac

reset arp source-mac statistics

Use reset arp source-mac statistics to clear statistics of packets dropped by source MAC-based ARP attack detection.

Syntax

In standalone mode:

reset arp source-mac statistics [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ slot slot-number ]

In IRF mode:

reset arp source-mac statistics [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Clears statistics of packets dropped by source MAC-based ARP attack detection on the specified interface. The interface-type interface-number arguments specify an interface by its type and number.

mac mac-address: Clears statistics of packets dropped by source MAC-based ARP attack detection for the specified MAC address. The MAC address format is H-H-H.

vlan vlan-id: Clears statistics of packets dropped by source MAC-based ARP attack detection for the specified VLAN. The value range for the VLAN ID is 1 to 4094.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

Usage guidelines

If you do not specify any parameter, the command clears all statistics of packets dropped by source MAC-based ARP attack detection.

Examples

# Clear all statistics of packets dropped by source MAC-based ARP attack detection.

<Sysname> reset arp source-mac statistics

Related commands

display arp source-mac statistics

ARP packet source MAC consistency check commands

arp valid-check enable

Use arp valid-check enable to enable ARP packet source MAC address consistency check.

Use undo arp valid-check enable to disable ARP packet source MAC address consistency check.

Syntax

arp valid-check enable

undo arp valid-check enable

Default

ARP packet source MAC address consistency check is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Configure this feature on gateways. The gateways can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.

Examples

# Enable ARP packet source MAC address consistency check.

<Sysname> system-view

[Sysname] arp valid-check enable

display arp valid-check statistics

Use display arp valid-check statistics to display statistics for packets dropped by ARP packet source MAC address consistency check.

Syntax

In standalone mode:

display arp valid-check statistics slot slot-number

In IRF mode:

display arp valid-check statistics chassis chassis-number slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

Usage guidelines

This command is supported only on CSPEX cards (excluding CSPEX-1204 and CSPEX-1104-E cards).

Examples

# Display statistics for packets dropped by ARP packet source MAC address consistency check on slot 3.

<Sysname> display arp valid-check statistics slot 3

Dropped ARP packets:123321

Table 5 Command output

Field	Description
Dropped ARP packets	Number of packets dropped by ARP packet source MAC address consistency check.

Related commands

arp valid-check enable

reset arp valid-check statistics

Use reset arp valid-check statistics to clear statistics for packets dropped by ARP packet source MAC address consistency check.

Syntax

In standalone mode:

reset arp valid-check statistics [ slot slot-number ]

In IRF mode:

reset arp valid-check statistics [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

Examples

# Display statistics for packets dropped by ARP packet source MAC address consistency check on slot 1.

<Sysname> reset arp valid-check statistics

Related commands

display arp valid-check statistics

ARP active acknowledgement commands

arp active-ack enable

Use arp active-ack enable to enable the ARP active acknowledgement feature.

Use undo arp active-ack enable to disable the ARP active acknowledgement feature.

Syntax

arp active-ack [ strict ] enable

undo arp active-ack [ strict ] enable

Default

The ARP active acknowledgement feature is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

strict: Enables strict mode for ARP active acknowledgement.

Usage guidelines

Configure this feature on gateways to prevent user spoofing.

In strict mode, a gateway learns an entry only when ARP active acknowledgement is successful based on the correct ARP resolution.

Examples

# Enable the ARP active acknowledgement feature.

<Sysname> system-view

[Sysname] arp active-ack enable

Interface-based ARP attack suppression commands

Interface-based ARP attack suppression is supported only on Layer 3 Ethernet interfaces and Layer 3 Ethernet subinterfaces of CSPEX cards (excluding CSPEX-1204 and CSPEX-1104-E cards).

arp attack-suppression check-interval

Use arp attack-suppression check-interval to set the check interval for interface-based ARP attack suppression.

Use undo arp attack-suppression check-interval to restore the default.

Syntax

arp attack-suppression check-interval interval

undo arp attack-suppression check-interval

Default

The check interval for interface-based ARP attack suppression is 5 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the check interval in seconds. The value range is in the range of 5 to 60.

Usage guidelines

The interface-based ARP attack suppression feature monitors the number of ARP requests that each Layer 3 interface received within the check interval. If the number on an interface exceeds the ARP attack suppression threshold, the device creates an ARP attack suppression entry for the interface.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the check interval for interface-based ARP attack suppression to 30 seconds.

<Sysname> system-view

[Sysname] arp attack-suppression check-interval 30

Related commands

arp attack-suppression enable per-interface

Use arp attack-suppression enable per-interface to enable interface-based ARP attack suppression.

Use undo arp attack-suppression enable per-interface to disable interface-based ARP attack suppression.

Syntax

arp attack-suppression enable per-interface

undo arp attack-suppression enable per-interface

Default

Interface-based ARP attack suppression is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this feature to rate limit ARP requests on each Layer 3 interface to prevent ARP spoofing attacks.

This feature monitors the number of ARP requests that each Layer 3 interface received within the check interval. If the number on an interface exceeds the ARP attack suppression threshold, the device creates an ARP attack suppression entry for the interface. Before the suppression time for the entry times out, the maximum receiving rate for ARP packets is limited on the interface.

During the suppression period, the device monitors the number of received ARP requests on the interface:

· If the number of the received ARP requests is higher than or equal to a calculated value, the device determines that the ARP attack still exists on the interface. When the suppression time expires, the device resets the suppression time for the entry and continues the ARP suppression on the interface.

The calculated value = (suppression time/check interval) × suppression threshold

· If the number of the received ARP requests is lower than the calculated value, the ARP suppression entry is deleted when the suppression time expires.

As a best practice, enable this feature on the gateway.

Examples

# Enable interface-based ARP attack suppression.

<Sysname> system-view

[Sysname] arp attack-suppression enable per-interface

Related commands

arp attack-suppression threshold

display arp attack-suppression per-interface

arp attack-suppression suppression-time

Use arp attack-suppression suppression-time to set the interface-based ARP attack suppression time.

Use undo arp attack-suppression suppression-time to restore the default.

Syntax

arp attack-suppression suppression-time time

undo arp attack-suppression suppression-time

Default

The interface-based ARP attack suppression time is 300 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time: Specifies the suppression time in seconds. The value range is 60 to 6000.

Usage guidelines

When an interface-based ARP attack is detected on an interface, the device creates an ARP attack suppression entry for the interface, and starts the suppression time. Before the suppression time for the entry expires, the maximum receiving rate for ARP packets is limited on the interface. When the suppression time expires,

During the suppression period, the device monitors the number of received ARP requests on the interface:

The calculated value = (suppression time/check interval) × suppression threshold

· If the number of the received ARP requests is lower than the calculated value, the ARP suppression entry is deleted when the suppression time expires.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the interface-based ARP attack suppression time to 60 seconds.

<Sysname> system-view

[Sysname] arp attack-suppression suppression-time 60

Related commands

arp attack-suppression enable per-interface

arp attack-suppression threshold

Use arp attack-suppression threshold to set the threshold for triggering interface-based ARP attack suppression.

Use undo arp attack-suppression threshold to restore the default.

Syntax

arp attack-suppression threshold threshold-value

undo arp attack-suppression threshold

Default

The interface-based ARP attack suppression threshold is 3000.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the interface-based ARP attack suppression threshold in the range of 1 to 5000. This threshold defines the maximum number of ARP requests that can be received on an interface within the check interval.

Usage guidelines

When the number of ARP requests received on an interface within the check interval exceeds the threshold, the system determines that the interface is being attacked.

Examples

# Set the interface-based ARP attack suppression threshold to 1000.

<Sysname> system-view

[Sysname] arp attack-suppression threshold 1000

Related commands

arp attack-suppression enable per-interface

display arp attack-suppression per-interface

display arp attack-suppression configuration

Use display arp attack-suppression configuration to display the configuration of the interface-based ARP attack suppression.

Syntax

display arp attack-suppression configuration

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of the interface-based ARP attack suppression.

<Sysname> display arp attack-suppression configuration

ARP attack-suppression per-interface is enabled.

Check interval: 5 seconds Suppression time : 300 seconds

Threshold: 3000

<Sysname> display arp attack-suppression configuration

ARP attack-suppression per-interface is disabled.

Table 6 Command output

Field	Description
ARP attack-suppression per-interface is enabled.	The interface-based ARP attack suppression is enabled.
ARP attack-suppression per-interface is disabled.	The interface-based ARP attack suppression is disabled.
Check interval	Check interval of the interface-based ARP attack suppression, in seconds.
Suppression time	Interface-based ARP attack suppression time in seconds.
Threshold	Threshold for triggering interface-based ARP attack suppression.

Related commands

arp attack-suppression enable per-interface

display arp attack-suppression per-interface

Use display arp attack-suppression per-interface to display interface-based ARP attack suppression entries.

Syntax

In standalone mode:

display arp attack-suppression per-interface slot slot-number [ count | verbose ]

In IRF mode:

display arp attack-suppression per-interface chassis chassis-number slot slot-number [ count | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

verbose: Displays the detailed information about interface-based ARP attack suppression entries. If you do not specify this keyword, this command displays brief information about interface-based ARP attack suppression entries.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

count: Displays the number of interface-based ARP attack suppression entries. If you do not specify this keyword, the command displays interface-based ARP attack suppression entries.

Usage guidelines

If you do not specify any parameter, this command displays brief information about all interface-based ARP attack suppression entries.

Examples

# Display interface-based ARP attack suppression entries for slot 1.

<Sysname> display arp attack-suppression per-interface interface slot 1

Interface Suppression time (second) Packets dropped

GE3/1/1 200 18446744073709551615

GE3/1/2 140 13829384728123487362

# Display the number of interface-based ARP attack suppression entries for slot 1.

<Sysname> display arp attack-suppression per-interface slot 1 count

Total ARP attack suppression entries: 2

# Display the detailed information about interface-based ARP attack suppression entries for slot 1.

<Sysname> display arp attack-suppression per-interface interface slot 1 verbose

Interface: GigabitEthernet3/1/1

Suppression time: 200 seconds

Hardware status: Succeeded

Attack time: 2018/06/04 15:53:34

Packets dropped: 18446744073709551615

Interface: GigabitEthernet3/1/2

Suppression time: 140 seconds

Hardware status: Succeeded

Attack time: 2018/06/04 14:53:34

Packets dropped: 13829384728123487362

Table 7 Command output

Field	Description
Interface	Interface in ARP attack suppression.
Suppression time (second)	Remaining suppression time, in seconds.
Packets dropped	Total number of dropped packets.
Total ARP attack suppression entries	Total number of interface-based ARP attack suppression entries.
Hardware status	Status of the interface-based ARP attack entry setting to hardware: · Succeeded. · Failed. · Not supported. · Not enough resources.
Suppression time	Remaining suppression time in seconds.
Attack time	Time when the interface-based ARP attack is detected. The time format is YYYY/MM/DD HH:MM:SS.

Related commands

reset arp attack-suppression per-interface

reset arp attack-suppression per-interface statistics

display arp attack-suppression per-interface inteface

Use display arp attack-suppression per-interface interface to display interface-based ARP attack suppression entries on an interface.

Syntax

display arp attack-suppression per-interface interface interface-type interface-number [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Displays interface-based ARP attack suppression entries for the specified interface. The interface-type interface-number arguments specify an interface by its type and number.

verbose: Displays detailed information about interface-based ARP attack suppression entries. If you do not specify this keyword, the command displays brief information about ARP attack suppression entries.

Examples

# Display interface-based ARP attack suppression entries on GigabitEthernet 3/1/1.

<Sysname> display arp attack-suppression per-interface interface gigabitethernet 3/1/1

Interface Suppression time (second) Packets dropped

GE3/1/1 200 18446744073709551615

# Display detailed information about the interface-based ARP attack suppression entries on GigabitEthernet 3/1/1.

<Sysname> display arp attack-suppression per-interface interface gigabitethernet 3/1/1 verbose

Interface: GigabitEthernet3/1/1

Suppression time: 200 seconds

Hardware status: Succeeded

Attack time: 2018/06/04 15:53:34

Packets dropped: 18446744073709551615

Table 8 Command output

Field	Description
Interface	Interface in ARP attack suppression.
Suppression time (second)	Remaining suppression time, in seconds.
Packets dropped	Total number of dropped packets.
Hardware status	Status of the interface-based ARP attack entry setting to hardware: · Succeeded. · Failed. · Not supported. · Not enough resources.
Suppression time	Remaining suppression time in seconds.
Attack time	Time when the interface-based ARP attack is detected. The time format is YYYY/MM/DD HH:MM:SS.

Related commands

reset arp attack-suppression per-interface

reset arp attack-suppression per-interface statistics

reset arp attack-suppression per-interface

Use reset arp attack-suppression per-interface to delete interface-based ARP attack suppression entries.

Syntax

In standalone mode:

reset arp attack-suppression per-interface [ interface interface-type interface-number ] [ slot slot-number ]

In IRF mode:

reset arp attack-suppression per-interface [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Deletes interface-based ARP attack suppression entries for the specified interface. The interface-type interface-number arguments specify an interface by its type and number.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

Usage guidelines

If you do not specify any parameter, this command deletes all interface-based ARP attack suppression entries on the device.

Examples

# Delete all interface-based ARP attack suppression entries on the device.

<Sysname> reset arp attack-interface per-interface

Related commands

display arp attack-suppression per-interface

reset arp attack-suppression per-interface statistics

Use reset arp attack-suppression per-interface statistics to clear statistics of packets dropped by interface-based ARP attack suppression.

Syntax

In standalone mode:

reset arp attack-suppression per-interface statistics [ interface interface-type interface-number ] [ slot slot-number ]

In IRF mode:

reset arp attack-suppression per-interface statistics [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Clears statistics of packets dropped by interface-based ARP attack suppression on the specified interface. The interface-type interface-number arguments specify an interface by its type and number.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

Usage guidelines

After you execute this command, the value for the Packets dropped field from the output of the display arp attack-suppression per-interface command will be cleared.

If you do not specify any parameter, this command clears all statistics of packets dropped by interface-based ARP attack suppression.

Examples

# Clear all statistics of packets dropped by interface-based ARP attack suppression.

<Sysname> reset arp attack-interface per-interface statistics

Related commands

display arp attack-suppression per-interface

Authorized ARP commands

arp authorized enable

Use arp authorized enable to enable authorized ARP on an interface.

Use undo arp authorized enable to disable authorized ARP on an interface.

Syntax

arp authorized enable

undo arp authorized enable

Default

Authorized ARP is disabled on the interface.

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

VSI interface view

VLAN interface view

Predefined user roles

network-admin

Examples

# Enable authorized ARP on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] arp authorized enable

ARP scanning and fixed ARP commands

arp fixup

Use arp fixup to convert existing dynamic ARP entries to static ARP entries.

Use undo arp fixup to convert valid static ARP entries to dynamic ARP entries and delete invalid static ARP entries.

Syntax

arp fixup

undo arp fixup

Views

System view

Predefined user roles

network-admin

Usage guidelines

The ARP conversion is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.

The static ARP entries converted from dynamic ARP entries have the same attributes as the manually configured static ARP entries. Due to the device's limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.

The static ARP entries after conversion can include the following entries:

· Existing dynamic and static ARP entries before conversion.

· New dynamic ARP entries learned during the conversion.

Dynamic ARP entries that are aged out during the conversion are not converted to static ARP entries.

To delete a static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command.

Examples

# Convert existing dynamic ARP entries to static ARP entries.

<Sysname> system-view

[Sysname] arp fixup

arp scan

Use arp scan to trigger an ARP scanning in an address range.

Syntax

arp scan [ start-ip-address to end-ip-address ]

Views

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface/subinterface view

VSI interface view

VLAN interface view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IP address of the scanning range.

end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.

Usage guidelines

ARP scanning automatically creates ARP entries for devices in the specified address range. IP addresses already in existing ARP entries are not scanned.

If the interface's primary and secondary IP addresses are in the address range, the sender IP address in the ARP request is the address on the smallest network segment.

If no address range is specified, the device learns ARP entries for devices on the subnet where the primary IP address of the interface resides. The sender IP address in the ARP requests is the primary IP address of the interface.

The start and end IP addresses must be on the same subnet as the primary IP address or secondary IP addresses of the interface.

ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.

Examples

# Configure the device to scan neighbors on the network where the primary IP address of GigabitEthernet 3/1/1 resides.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] arp scan

# Configure the device to scan neighbors in an address range.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] arp scan 1.1.1.1 to 1.1.1.20

ARP gateway protection commands

arp filter source

Use arp filter source to enable ARP gateway protection for a gateway.

Use undo arp filter source to disable ARP gateway protection for a gateway.

Syntax

arp filter source ip-address

undo arp filter source ip-address

Default

ARP gateway protection is disabled.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IP address of a protected gateway.

Usage guidelines

You can enable ARP gateway protection for a maximum of eight gateways on an interface.

You cannot configure both the arp filter source and arp filter binding commands on the same interface.

Examples

# Enable ARP gateway protection for the gateway with IP address 1.1.1.1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] arp filter source 1.1.1.1

ARP filtering commands

arp filter binding

Use arp filter binding to enable ARP filtering and configure an ARP permitted entry.

Use undo arp filter binding to remove an ARP permitted entry.

Syntax

arp filter binding ip-address mac-address

undo arp filter binding ip-address

Default

ARP filtering is disabled.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies a permitted sender IP address.

mac-address: Specifies a permitted sender MAC address.

Usage guidelines

If the sender IP and MAC addresses of an ARP packet match an ARP permitted entry, the ARP packet is permitted. If the sender IP and MAC addresses of an ARP packet do not match an ARP permitted entry, the ARP packet is discarded.

You can configure a maximum of eight ARP permitted entries on an interface.

You cannot configure both the arp filter source and arp filter binding commands on the same interface.

Examples

# Enable ARP filtering and configure an ARP permitted entry.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] arp filter binding 1.1.1.1 0e10-0213-1023

ARP sender IP address checking commands

arp sender-ip-range

Use arp sender-ip-range to enable the ARP sender IP address checking feature and specify the IP address range.

Use undo arp sender-ip-range to disable the ARP sender IP address checking feature.

Syntax

arp sender-ip-range start-ip-address end-ip-address

undo arp sender-ip-range

Default

The ARP sender IP address checking feature is disabled.

Views

VLAN view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IP address.

end-ip-address: Specifies the end IP address. The end IP address must be higher than or equal to the start IP address.

Usage guidelines

This feature enables a device to discard an ARP packet if its sender IP address is not within the specified IP address range.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable the ARP sender IP address checking feature in VLAN 2 and specify the IP address range 1.1.1.1 to 1.1.1.20.

<Sysname> system-view

[Sysname] vlan 2

[Sysname–vlan2] arp sender-ip-range 1.1.1.1 1.1.1.20

12-Security Command Reference

display arp source-suppression

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us