11-Security Command Reference

HomeSupportResource CenterNFVH3C VSRH3C VSRTechnical DocumentsCommandCommand ReferencesH3C VSR Series Virtual Services Routers Command References(V7)-R0621-6W30011-Security Command Reference
22-ARP attack protection commands
Title Size Download
22-ARP attack protection commands 89.37 KB

ARP attack protection commands

Unresolvable IP attack protection commands

arp resolving-route enable

Use arp resolving-route enable to enable ARP blackhole routing.

Use undo arp resolving-route enable to disable ARP blackhole routing.

Syntax

arp resolving-route enable

undo arp resolving-route enable

Default

The ARP blackhole routing feature is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Configure this command on the gateways.

Examples

# Enable ARP blackhole routing.

<Sysname> system-view

[Sysname] arp resolving-route enable

Related commands

arp resolving-route probe-count

arp resolving-route probe-interval

arp resolving-route probe-count

Use arp resolving-route probe-count to set the number of ARP blackhole route probes for each unresolved IP address.

Use undo arp resolving-route probe-count to restore the default.

Syntax

arp resolving-route probe-count count

undo arp resolving-route probe-count

Default

The device performs three ARP blackhole route probes for each unresolved IP address.

Views

System view

Predefined user roles

network-admin

Parameters

count: Sets the number of probes, in the range of 1 to 25.

Examples

# Configure the device to perform five ARP blackhole route probes for each unresolved IP address.

<Sysname> system-view

[Sysname] arp resolving-route probe-count 5

Related commands

arp resolving-route enable

arp resolving-route probe-interval

arp resolving-route probe-interval

Use arp resolving-route probe-interval to set the interval at which the device probes ARP blackhole routes.

Use undo arp resolving-route probe-interval to restore the default.

Syntax

arp resolving-route probe-interval interval

undo arp resolving-route probe-interval

Default

The device probes ARP blackhole routes every 1 second.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the probe interval in the range of 1 to 5 seconds.

Examples

# Configure the device to probe ARP blackhole routes every 3 seconds.

<Sysname> system-view

[Sysname] arp resolving-route probe-interval 3

Related commands

arp resolving-route enable

arp resolving-route probe-count

arp source-suppression enable

Use arp source-suppression enable to enable the ARP source suppression feature.

Use undo arp source-suppression enable to disable the ARP source suppression feature.

Syntax

arp source-suppression enable

undo arp source-suppression enable

Default

The ARP source suppression feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Configure this feature on the gateways.

Examples

# Enable the ARP source suppression feature.

<Sysname> system-view

[Sysname] arp source-suppression enable

Related commands

display arp source-suppression

arp source-suppression limit

Use arp source-suppression limit to set the maximum number of unresolvable packets that can be processed per source IP address within 5 seconds.

Use undo arp source-suppression limit to restore the default.

Syntax

arp source-suppression limit limit-value

undo arp source-suppression limit

Default

The device can process a maximum of 10 unresolvable packets per source IP address within 5 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

limit-value: Specifies the limit in the range of 2 to 1024.

Usage guidelines

If unresolvable packets received from an IP address within 5 seconds exceed the limit, the device stops processing the packets from that IP address until the 5 seconds elapse.

Examples

# Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.

<Sysname> system-view

[Sysname] arp source-suppression limit 100

Related commands

display arp source-suppression

display arp source-suppression

Use display arp source-suppression to display information about the current ARP source suppression configuration.

Syntax

display arp source-suppression

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about the current ARP source suppression configuration.

<Sysname> display arp source-suppression

 ARP source suppression is enabled

 Current suppression limit: 100

Table 1 Command output

Field

Description

Current suppression limit

Maximum number of unresolvable packets that can be processed per source IP address within 5 seconds.

 

Source MAC-based ARP attack detection commands

arp source-mac

Use arp source-mac to enable the source MAC-based ARP attack detection feature and specify a handling method.

Use undo arp source-mac to disable the source MAC-based ARP attack detection feature.

Syntax

arp source-mac { filter | monitor }

undo arp source-mac [ filter | monitor ]

Default

The source MAC-based ARP attack detection feature is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

filter: Specifies the filter handling method.

monitor: Specifies the monitor handling method.

Usage guidelines

Configure this feature on the gateways.

This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device generates an ARP attack entry for the MAC address. Before the entry ages out, the device handles the attack by using either of the following methods:

·     Monitor—Only generates log messages.

·     Filter—Generates log messages and filters out subsequent ARP packets from the MAC address.

Make sure you have enabled the ARP logging feature before enabling the source MAC-based ARP attack detection feature. For information about the ARP logging feature, see ARP configuration in Layer 3—IP Services Configuration Guide.

If you do not specify any handling method in the undo arp source-mac command, the command disables this feature.

Examples

# Enable the source MAC-based ARP attack detection feature and specify the filter handling method.

<Sysname> system-view

[Sysname] arp source-mac filter

arp source-mac aging-time

Use arp source-mac aging-time to set the aging time for ARP attack entries.

Use undo arp source-mac aging-time to restore the default.

Syntax

arp source-mac aging-time time

undo arp source-mac aging-time

Default

The aging time for ARP attack entries is 300 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time: Sets the aging time for ARP attack entries, in the range of 60 to 6000 seconds.

Examples

# Set the aging time for ARP attack entries to 60 seconds.

<Sysname> system-view

[Sysname] arp source-mac aging-time 60

arp source-mac exclude-mac

Use arp source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection.

Use undo arp source-mac exclude-mac to remove the excluded MAC addresses from source MAC-based ARP attack detection.

Syntax

arp source-mac exclude-mac mac-address&<1-n>

undo arp source-mac exclude-mac [ mac-address&<1-n> ]

Default

No MAC addresses are excluded from source MAC-based ARP attack detection.

Views

System view

Predefined user roles

network-admin

Parameters

mac-address&<1-n>: Specifies a MAC address list. The mac-address argument indicates an excluded MAC address in the format of H-H-H. &<1-n> indicates the number of excluded MAC addresses that you can configure. The value for n is 10.

Usage guidelines

If you do not specify a MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses.

Examples

# Exclude a MAC address from source MAC-based ARP attack detection.

<Sysname> system-view

[Sysname] arp source-mac exclude-mac 001e-1200-0213

arp source-mac threshold

Use arp source-mac threshold to set the threshold for source MAC-based ARP attack detection. If the number of ARP packets sent from a MAC address within 5 seconds exceeds this threshold, the device recognizes this as an attack.

Use undo arp source-mac threshold to restore the default.

Syntax

arp source-mac threshold threshold-value

undo arp source-mac threshold

Default

The threshold for source MAC-based ARP attack detection is 30.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range for this argument is 1 to 5000.

Examples

# Set the threshold for source MAC-based ARP attack detection to 30.

<Sysname> system-view

[Sysname] arp source-mac threshold 30

display arp source-mac

Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP attack detection.

Syntax

In standalone mode:

display arp source-mac [ interface interface-type interface-number ]

In IRF mode:

display arp source-mac { interface interface-type interface-number | slot slot-number }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies an IRF member device by its ID. If you do not specify a member device, this command displays ARP attack entries for the master device. (In IRF mode.)

Examples

# Display the ARP attack entries detected by source MAC-based ARP attack detection on GigabitEthernet 1/0.

<Sysname> display arp source-mac interface gigabitethernet 1/0

Source-MAC          VLAN ID  Interface                Aging-time

23f3-1122-3344      4094     GE1/0                    10

Table 2 Command output

Field

Description

Source-MAC

Source MAC address of the attack.

VLAN ID

ID of the VLAN in which the attack was detected.

Interface

Interface on which the attack was detected.

Aging-time

Aging time for the ARP attack entry, in seconds.

 

ARP packet source MAC consistency check commands

arp valid-check enable

Use arp valid-check enable to enable ARP packet source MAC address consistency check.

Use undo arp valid-check enable to disable ARP packet source MAC address consistency check.

Syntax

arp valid-check enable

undo arp valid-check enable

Default

ARP packet source MAC address consistency check is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Configure this feature on gateways. The gateways can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.

Examples

# Enable ARP packet source MAC address consistency check.

<Sysname> system-view

[Sysname] arp valid-check enable

ARP active acknowledgement commands

arp active-ack enable

Use arp active-ack enable to enable the ARP active acknowledgement feature.

Use undo arp active-ack enable to disable the ARP active acknowledgement feature.

Syntax

arp active-ack [ strict ] enable

undo arp active-ack [ strict ] enable

Default

The ARP active acknowledgement feature is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

strict: Enables strict mode for ARP active acknowledgement.

Usage guidelines

Configure this feature on gateways to prevent user spoofing.

Examples

# Enable the ARP active acknowledgement feature.

<Sysname> system-view

[Sysname] arp active-ack enable

Authorized ARP commands

arp authorized enable

Use arp authorized enable to enable authorized ARP on an interface.

Use undo arp authorized enable to disable authorized ARP on an interface.

Syntax

arp authorized enable

undo arp authorized enable

Default

Authorized ARP is disabled on the interface.

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VLAN interface view

Reth interface view

Reth subinterface view

Predefined user roles

network-admin

Examples

# Enable authorized ARP on GigabitEthernet 1/0.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0

[Sysname-GigabitEthernet1/0] arp authorized enable

ARP scanning and fixed ARP commands

arp fixup

Use arp fixup to convert existing dynamic ARP entries to static ARP entries.

Syntax

arp fixup

Views

System view

Predefined user roles

network-admin

Usage guidelines

The ARP conversion is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.

The static ARP entries converted from dynamic ARP entries have the same attributes as the manually configured static ARP entries. Due to the device's limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.

The static ARP entries after conversion can include the following entries:

·     Existing dynamic and static ARP entries before conversion.

·     New dynamic ARP entries learned during the conversion.

Dynamic ARP entries that are aged out during the conversion are not converted to static ARP entries.

To delete a static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command.

Examples

# Convert existing dynamic ARP entries to static ARP entries.

<Sysname> system-view

[Sysname] arp fixup

arp scan

Use arp scan to trigger an ARP scanning in an address range.

Syntax

arp scan [ start-ip-address to end-ip-address ]

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VLAN interface view

Reth interface view

Reth subinterface view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IP address of the scanning range.

end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.

Usage guidelines

ARP scanning automatically creates ARP entries for devices in the specified address range. IP addresses already in existing ARP entries are not scanned.

If the interface's primary and secondary IP addresses are in the address range, the sender IP address in the ARP request is the address on the smallest network segment.

If no address range is specified, the device learns ARP entries for devices on the subnet where the primary IP address of the interface resides. The sender IP address in the ARP requests is the primary IP address of the interface.

The start and end IP addresses must be on the same subnet as the primary IP address or secondary IP addresses of the interface.

ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.

Examples

# Configure the device to scan neighbors on the network where the primary IP address of GigabitEthernet 1/0 resides.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0

[Sysname-GigabitEthernet1/0] arp scan

# Configure the device to scan neighbors in an address range.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0

[Sysname-GigabitEthernet1/0] arp scan 1.1.1.1 to 1.1.1.20