Login
- Table of Contents
-
- 12-Security Command Reference
- 00-Preface
- 01-DAE proxy commands
- 02-Password control commands
- 03-Keychain commands
- 04-Public key management commands
- 05-PKI commands
- 06-IPsec commands
- 07-SSH commands
- 08-SSL commands
- 09-Session management commands
- 10-Object group commands
- 11-Attack detection and prevention commands
- 12-IP-based attack prevention commands
- 13-IP source guard commands
- 14-ARP attack protection commands
- 15-ND attack defense commands
- 16-uRPF commands
- 17-SAVA commands
- 18-SAVA-P commands
- 19-Crypto engine commands
- 20-Trust level commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 14-ARP attack protection commands | 187.75 KB |
Contents
ARP attack protection commands
Unresolvable IP attack protection commands
arp resolving-route probe-count
arp resolving-route probe-interval
display arp source-suppression
ARP packet rate limit commands
ARP SNMP notification commands
Source MAC-based ARP attack detection commands
display arp source-mac configuration
display arp source-mac statistics
reset arp source-mac statistics
ARP packet source MAC consistency check commands
display arp valid-check statistics
reset arp valid-check statistics
ARP active acknowledgement commands
Interface-based ARP attack suppression commands
arp attack-suppression check-interval
arp attack-suppression enable per-interface
arp attack-suppression suppression-time
arp attack-suppression threshold
display arp attack-suppression configuration
display arp attack-suppression per-interface
display arp attack-suppression per-interface interface
reset arp attack-suppression per-interface
reset arp attack-suppression per-interface statistics
ARP scanning and fixed ARP commands
ARP gateway protection commands
ARP sender IP address checking commands
Display and clear commands for dropped ARP packet statistics
display driver arp packet drop
ARP attack protection commands
Unresolvable IP attack protection commands
arp resolving-route enable
Use arp resolving-route enable to enable ARP blackhole routing.
Use undo arp resolving-route enable to disable ARP blackhole routing.
Syntax
arp resolving-route enable
undo arp resolving-route enable
Default
ARP blackhole routing is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Configure this command on the gateways.
Examples
# Enable ARP blackhole routing.
<Sysname> system-view
[Sysname] arp resolving-route enable
Related commands
arp resolving-route probe-count
arp resolving-route probe-interval
arp resolving-route probe-count
Use arp resolving-route probe-count to set the number of ARP blackhole route probes for each unresolved IP address.
Use undo arp resolving-route probe-count to restore the default.
Syntax
arp resolving-route probe-count count
undo arp resolving-route probe-count
Default
The device performs three ARP blackhole route probes for each unresolved IP address.
Views
System view
Predefined user roles
network-admin
Parameters
count: Sets the number of probes, in the range of 1 to 25.
Examples
# Configure the device to perform five ARP blackhole route probes for each unresolved IP address.
<Sysname> system-view
[Sysname] arp resolving-route probe-count 5
Related commands
arp resolving-route enable
arp resolving-route probe-interval
arp resolving-route probe-interval
Use arp resolving-route probe-interval to set the interval at which the device probes ARP blackhole routes.
Use undo arp resolving-route probe-interval to restore the default.
Syntax
arp resolving-route probe-interval interval
undo arp resolving-route probe-interval
Default
The device probes ARP blackhole routes every 1 second.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the probe interval in the range of 1 to 5 seconds.
Examples
# Configure the device to probe ARP blackhole routes every 3 seconds.
<Sysname> system-view
[Sysname] arp resolving-route probe-interval 3
Related commands
arp resolving-route enable
arp resolving-route probe-count
arp source-suppression enable
Use arp source-suppression enable to enable the ARP source suppression feature.
Use undo arp source-suppression enable to disable the ARP source suppression feature.
Syntax
arp source-suppression enable
undo arp source-suppression enable
Default
The ARP source suppression feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Configure this feature on the gateways.
Examples
# Enable the ARP source suppression feature.
<Sysname> system-view
[Sysname] arp source-suppression enable
Related commands
display arp source-suppression
arp source-suppression limit
Use arp source-suppression limit to set the maximum number of unresolvable packets that can be processed per source IP address within 5 seconds.
Use undo arp source-suppression limit to restore the default.
Syntax
arp source-suppression limit limit-value
undo arp source-suppression limit
Default
The device can process a maximum of 10 unresolvable packets per source IP address within 5 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
limit-value: Specifies the limit in the range of 2 to 1024.
Usage guidelines
If unresolvable packets received from an IP address within 5 seconds exceed the limit, the device stops processing the packets from that IP address until the 5 seconds elapse.
Examples
# Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.
<Sysname> system-view
[Sysname] arp source-suppression limit 100
Related commands
display arp source-suppression
display arp source-suppression
Use display arp source-suppression to display information about the current ARP source suppression configuration.
Syntax
display arp source-suppression
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about the current ARP source suppression configuration.
<Sysname> display arp source-suppression
ARP source suppression is enabled
Current suppression limit: 100
Table 1 Command output
|
Field |
Description |
|
Current suppression limit |
Maximum number of unresolvable packets that can be processed per source IP address within 5 seconds. |
ARP packet rate limit commands
arp rate-limit
Use arp rate-limit to enable the ARP packet rate limit feature on an interface.
Use undo arp rate-limit to disable the ARP packet rate limit feature on an interface.
Syntax
arp rate-limit [ pps ]
undo arp rate-limit
Default
The ARP packet rate limit feature is disabled on an interface.
Views
Layer 3 Ethernet interface view
Layer 3 aggregate interface view
Predefined user roles
network-admin
Parameters
pps: Specifies the upper limit for ARP packet rate in pps. The value range for this argument is 5 to 200.
Usage guidelines
When the ARP packet rate limit feature is disabled, you can set the protocol packet rate limit by using the cp-rate-limit group command. If you execute both commands, the ARP packet rate limit set by using the arp rate-limit command takes priority. For more information about the cp-rate-limit group command, see "Attack detection and prevention commands."
Examples
# Enable the ARP packet rate limit feature on Layer 3 Ethernet interface Ten-GigabitEthernet 3/0/1, and set the maximum ARP packet rate to 50 pps.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] arp rate-limit 50
arp rate-limit log enable
Use arp rate-limit log enable to enable logging for ARP packet rate limit.
Use undo arp rate-limit log enable to disable logging for ARP packet rate limit.
Syntax
arp rate-limit log enable
undo arp rate-limit log enable
Default
Logging for ARP packet rate limit is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
When logging for ARP packet rate limit is enabled, the device sends the highest threshold-crossed ARP packet rate within the sending interval in a log message to the information center. You can configure the information center module to set the log output rules. For more information about information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for ARP packet rate limit.
<Sysname> system-view
[Sysname] arp rate-limit log enable
arp rate-limit log interval
Use arp rate-limit log interval to set the notification and log message sending interval for ARP packet rate limit.
Use undo arp rate-limit log interval to restore the default.
Syntax
arp rate-limit log interval interval
undo arp rate-limit log interval
Default
The device sends notifications or log messages every 60 seconds when the rate of ARP packets received on an interface exceeds the limit.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies an interval in the range of 1 to 86400 seconds.
Usage guidelines
To change the default interval and activate it, you must enable ARP packet rate limit and enable sending notifications or log messages for ARP packet rate limit.
Examples
# Set the device to send notifications and log messages every 120 seconds when the rate of ARP packets received on an interface exceeds the limit.
<Sysname> system-view
[Sysname] arp rate-limit log interval 120
Related commands
arp rate-limit
arp rate-limit log enable
ARP SNMP notification commands
snmp-agent trap enable arp
Use snmp-agent trap enable arp to enable SNMP notifications for ARP.
Use undo snmp-agent trap enable arp to disable SNMP notifications for ARP.
Syntax
snmp-agent trap enable arp [ active-ack | arp-miss | entry-limit | local-conflict | rate-limit | user-ip-conflict | user-move ] *
undo snmp-agent trap enable arp [ active-ack | arp-miss | entry-limit | local-conflict | rate-limit | user-ip-conflict | user-move ] *
Default
SNMP notifications for ARP are disabled.
Views
System view
Predefined user roles
network-admin
Parameters
active-ack: Specifies ARP active acknowledgement notifications.
arp-miss: Specifies sending rate limit notifications for ARP Miss messages or ARP packets.
entry-limit: Specifies ARP entry limit notifications.
local-conflict: Specifies endpoints and local device conflict notifications.
rate-limit: Specifies ARP packet rate limit notifications.
user-ip-conflict: Specifies user IP address conflict notifications.
user-move: Specifies user port migration notifications.
Usage guidelines
Enable SNMP notifications for ARP as required.
· If you specify the active-ack keyword, the device sends a notification to the SNMP module when it does not establish an ARP entry because of the ARP active acknowledgement feature. The notification includes the sender IP and MAC addresses in the received ARP request.
· If you specify the arp-miss keyword, the device sends the highest threshold-crossed rate as a notification to the SNMP module.
· If you specify the entry-limit keyword, the device sends the current number of ARP entries as a notification to the SNMP module when the number of global ARP entries exceeds the alarm threshold.
· If you specify the local-conflict keyword, the device sends a notification to the SNMP module when an endpoint and local device conflict occurs. The notification includes the sender IP address, sender MAC address, target IP address, and target MAC address in the received ARP packet.
· If you specify the rate-limit keyword, the device sends the highest threshold-crossed rate as a notification to the SNMP module.
· If you specify the user-ip-conflict keyword, the device sends a notification to the SNMP module when a user IP address conflict occurs. The notification includes the sender IP and MAC addresses in the received ARP packet, and MAC address in the corresponding local ARP entry.
· If you specify the user-move keyword, the device sends a notification to the SNMP module when a user port migrates. The notification includes the IP address, MAC address, port before migration, and port after migration of the user.
For ARP event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.
Examples
# Enable SNMP notifications for ARP active acknowledgement.
<Sysname> system-view
[Sysname] snmp-agent trap enable arp active-ack
Source MAC-based ARP attack detection commands
arp source-mac
Use arp source-mac to enable the source MAC-based ARP attack detection feature and specify an attack handling method.
Use undo arp source-mac to disable the source MAC-based ARP attack detection feature.
Syntax
arp source-mac { filter | monitor }
undo arp source-mac [ filter | monitor ]
Default
The source MAC-based ARP attack detection feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
filter: Specifies the filter handling method.
monitor: Specifies the monitor handling method.
Usage guidelines
Configure this feature on the gateways.
This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within the check interval exceeds a threshold, the device generates an ARP attack entry for the MAC address. Before the entry ages out, the device handles the attack by using either of the following methods:
· Monitor—Only generates log messages.
· Filter—Generates log messages and filters out subsequent ARP packets from the MAC address.
If you do not specify any attack handling method in the undo arp source-mac command, the command disables this feature.
Source MAC-based ARP attack detection checks the number of ARP packets delivered to the CPU on a per-slot basis. If the number of ARP packets received from the same MAC address within a check interval on a slot exceeds the threshold, the device determines that an attack has occurred.
Examples
# Enable the source MAC-based ARP attack detection feature and specify the filter handling method.
<Sysname> system-view
[Sysname] arp source-mac filter
arp source-mac aging-time
Use arp source-mac aging-time to set the aging time for ARP attack entries.
Use undo arp source-mac aging-time to restore the default.
Syntax
arp source-mac aging-time time
undo arp source-mac aging-time
Default
The aging time for ARP attack entries is 300 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
time: Sets the aging time for ARP attack entries, in the range of 60 to 6000 seconds.
Examples
# Set the aging time for ARP attack entries to 60 seconds.
<Sysname> system-view
[Sysname] arp source-mac aging-time 60
arp source-mac check-interval
Use arp source-mac check-interval to set the check interval for source MAC-based ARP attack detection.
Use undo arp source-mac check-interval to restore the default.
Syntax
arp source-mac check-interval interval
undo arp source-mac check-interval
Default
The check interval for source MAC-based ARP attack detection is 5 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the check interval in seconds. The value range is 5 to 60.
Usage guidelines
The source MAC-based ARP attack detection feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within the check interval exceeds the threshold, the device generates an ARP attack entry for the MAC address.
If attacks occur frequently in your network, set a short check interval so that source MAC-based ARP attacks can be detected in a timely manner. If attacks seldom occur, you can set a long check interval.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the check interval for source MAC-based ARP attack detection to 30 seconds.
<Sysname> system-view
[Sysname] arp source-mac check-interval 30
Related commands
arp source-mac
display arp source-mac configuration
arp source-mac exclude-mac
Use arp source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection.
Use undo arp source-mac exclude-mac to remove the excluded MAC addresses from source MAC-based ARP attack detection.
Syntax
arp source-mac exclude-mac mac-address&<1-64>
undo arp source-mac exclude-mac [ mac-address&<1-64> ]
Default
No MAC addresses are excluded from source MAC-based ARP attack detection.
Views
System view
Predefined user roles
network-admin
Parameters
mac-address&<1-64>: Specifies a MAC address list. The mac-address argument indicates an excluded MAC address in the format of H-H-H. &<1-64> indicates the number of excluded MAC addresses that you can configure.
Usage guidelines
If you do not specify a MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses.
Examples
# Exclude a MAC address from source MAC-based ARP attack detection.
<Sysname> system-view
[Sysname] arp source-mac exclude-mac 001e-1200-0213
arp source-mac threshold
Use arp source-mac threshold to set the threshold for source MAC-based ARP attack detection. If the number of ARP packets sent from a MAC address within the check interval exceeds this threshold, the device recognizes this as an attack.
Use undo arp source-mac threshold to restore the default.
Syntax
arp source-mac threshold threshold-value
undo arp source-mac threshold
Default
The threshold is 30 for source MAC-based ARP attack detection.
Views
System view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range is 1 to 5000.
Examples
# Set the threshold for source MAC-based ARP attack detection to 30.
<Sysname> system-view
[Sysname] arp source-mac threshold 30
display arp source-mac
Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP attack detection.
Syntax
display arp source-mac interface interface-type interface-number [ slot slot-number ] [ verbose ]
display arp source-mac { mac mac-address | vlan vlan-id } slot slot-number [ verbose ]
display arp source-mac slot slot-number [ count | verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you specify a virtual interface, you can also specify a location on the device to display entries for the member physical interfaces that the virtual interface has at that location.
mac mac-address: Specifies a MAC address, in the format of H-H-H.
vlan vlan-id: Specifies a VLAN by its VLAN ID, in the range of 1 to 4094.
slot slot-number: Specifies a card by its slot number.
verbose: Displays the detailed information about source MAC-based ARP attack entries. If you do not specify this keyword, this command displays the brief information about the source MAC-based ARP attack entries.
count: Displays the number of ARP attack entries detected by source MAC-based ARP attack detection. If you do not specify this keyword, the command displays ARP attack entries detected by source MAC-based ARP attack detection.
Usage guidelines
The slot slot-number option is supported only when the interface interface-type interface-number option specifies a virtual interface.
Virtual interfaces can be Layer 2 aggregate interfaces, Layer 3 aggregate interfaces, and Layer 3 aggregate subinterfaces.
If you do not specify any parameters, the command displays all ARP attack entries.
Examples
# Display the ARP attack entries detected by source MAC-based ARP attack detection on Ten-GigabitEthernet 3/0/1.
<Sysname> display arp source-mac interface ten-gigabitethernet 3/0/1
Attack detection mode: Slot-based
Source MAC VLAN ID Interface Aging time (sec) Packets dropped
23f3-1122-3344 4094 XGE3/0/1 10 84467
# Display the number of source MAC-based ARP attack entries.
<Sysname> display arp source-mac slot 10 count
Attack detection mode: Slot-based
Total source MAC-based ARP attack detection entries: 1
# Display the detailed information about ARP attack entries detected by source MAC-based ARP attack detection on Ten-GigabitEthernet 3/0/1.
<Sysname> display arp source-mac interface ten-gigabitethernet 3/0/1 verbose
Attack detection mode: Slot-based
Source MAC: 0001-0001-0001
VLAN ID: 4094
Hardware status: Succeeded
Aging time: 10 seconds
Interface: Ten-GigabitEthernet3/0/1
Attack time: 2018/06/04 15:53:34
Packets dropped: 84467
Table 2 Command output
|
Field |
Description |
|
Attack detection mode |
Source MAC-based ARP attack detection mode, which is fixed at slot-based mode. In this mode, the device performs source MAC-based ARP attack detection on a per-slot basis. |
|
Source MAC |
Source MA address in the source MAC-based ARP attack entry. |
|
VLAN ID |
ID of the VLAN where the source MAC-based ARP attack is detected. |
|
Interface |
Interface where the source MAC-based ARP attack is detected. |
|
Aging time |
Remaining lifetime of the source MAC-based ARP attack entry, in seconds. |
|
Packets dropped |
Total number of packets dropped by source MAC-based ARP attack detection. If the packets dropped by source MAC-based ARP attack occurs on a Layer 2 Ethernet interface, packet drop statistics is not calculated and this field displays 1. |
|
Total source MAC-based ARP attack detection entries |
Total number of source MAC-based ARP attack entries. |
|
Hardware status |
Status of the source MAC-based ARP attack entry setting to hardware: · Succeeded · Failed · Not supported · Not enough resources |
|
Attack time |
Time when the source MAC-based ARP attack is detected. The formation of the time is YYYY/MM/DD HH:MM:SS. |
Related commands
reset arp source-mac
reset arp source-mac statistics
display arp source-mac configuration
Use display arp source-mac configuration to display the configuration for source MAC-based ARP attack detection.
Syntax
display arp source-mac configuration [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays the configuration on the active MPU for source MAC-based ARP attack detection.
Examples
# Display the configuration for source MAC-based ARP attack detection.
<Sysname> display arp source-mac configuration slot 10
ARP source-mac is enabled.
Attack detection mode:Slot-based
Mode: Filter Check interval: 5 seconds
Threshold: 20 Aging time: 300 seconds
Table 3 Command output
|
Field |
Description |
|
Attack detection mode |
Source MAC-based ARP attack detection mode, which is fixed at slot-based mode. In this mode, the device performs source MAC-based ARP attack detection on a per-slot basis. |
|
ARP source-mac is enabled. |
The source MAC-based ARP attack detection is enabled. |
|
ARP source-mac is disabled. |
The source MAC-based ARP attack detection is disabled. |
|
Mode |
Source MAC-based ARP attack detection handling method: · Filter. · Monitor. |
|
Check interval |
Check interval of the source MAC-based ARP attack detection, in seconds. |
|
Threshold |
Threshold for source MAC-based ARP attack detection. |
|
Aging time |
Aging time of the source MAC-based ARP attack entry, in seconds. |
Related commands
arp source-mac
arp source-mac aging-time
arp source-mac check-interval
arp source-mac exclude-mac
arp source-mac threshold
display arp source-mac statistics
Use display arp source-mac statistics to display statistics for packets dropped by source MAC-based ARP attack detection.
Syntax
display arp source-mac statistics slot slot-number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number.
Examples
# Display statistics for packets dropped by source MAC-based ARP attack detection.
<Sysname> display arp source-mac statistics slot 10
Dropped ARP packets:23321
Table 4 Command output
|
Field |
Description |
|
Dropped ARP packets |
Number of packets dropped by source MAC-based ARP attack detection. |
Related commands
arp source-mac
reset arp source-mac
Use reset arp source-mac to delete source MAC-based ARP attack entries.
Syntax
reset arp source-mac [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
mac mac-address: Specify a MAC address, in the format of H-H-H.
vlan vlan-id: Specifies a VLAN by its VLAN ID, in the range of 1 to 4094.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes the source MAC-based ARP attack entries on the active MPU.
Usage guidelines
If you do not specify any parameter, the command deletes all source MAC-based ARP attack entries on the device.
Examples
# Delete all source MAC-based ARP attack entries on the device.
<Sysname> reset arp source-mac
Related commands
display arp source-mac
reset arp source-mac statistics
Use reset arp source-mac statistics to clear statistics of packets dropped by source MAC-based ARP attack detection.
Syntax
reset arp source-mac statistics [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
mac mac-address: Specifies a MAC address, in the format of H-H-H.
vlan vlan-id: Specifies a VLAN by its VLAN ID, in the range of 1 to 4094.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics of dropped packets on the active MPU.
Usage guidelines
If you do not specify any parameter, the command clears all statistics of packets dropped by source MAC-based ARP attack detection.
Examples
# Clear all statistics of packets dropped by source MAC-based ARP attack detection.
<Sysname> reset arp source-mac statistics
Related commands
display arp source-mac statistics
ARP packet source MAC consistency check commands
arp valid-check enable
Use arp valid-check enable to enable ARP packet source MAC address consistency check.
Use undo arp valid-check enable to disable ARP packet source MAC address consistency check.
Syntax
arp valid-check enable
undo arp valid-check enable
Default
ARP packet source MAC address consistency check is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Configure this feature on gateways. The gateways can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.
Examples
# Enable ARP packet source MAC address consistency check.
<Sysname> system-view
[Sysname] arp valid-check enable
display arp valid-check statistics
Use display arp valid-check statistics to display statistics for packets dropped by ARP packet source MAC address consistency check.
Syntax
display arp valid-check statistics slot slot-number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number.
Examples
# Display statistics for packets dropped by ARP packet source MAC address consistency check.
<Sysname> display arp valid-check statistics slot 10
Dropped ARP packets:23321
Table 5 Command output
|
Field |
Description |
|
Dropped ARP packets |
Number of packets dropped by ARP packet source MAC address consistency check. |
Related commands
arp valid-check enable
reset arp valid-check statistics
Use reset arp valid-check statistics to clear statistics for packets dropped by ARP packet source MAC address consistency check.
Syntax
reset arp valid-check statistics { all | slot slot-number }
Views
User view
Predefined user roles
network-admin
Parameters
all: Specifies all statistics for packets dropped by ARP packet source MAC address consistency check.
slot slot-number: Specifies a card by its slot number.
Examples
# Clear all statistics for packets dropped by ARP packet source MAC address consistency check.
<Sysname> reset arp valid-check statistics all
Related commands
display arp valid-check statistics
ARP active acknowledgement commands
arp active-ack enable
Use arp active-ack enable to enable the ARP active acknowledgement feature.
Use undo arp active-ack enable to disable the ARP active acknowledgement feature.
Syntax
arp active-ack [ strict ] enable
undo arp active-ack [ strict ] enable
Default
The ARP active acknowledgement feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
strict: Enables strict mode for ARP active acknowledgement.
Usage guidelines
Configure this feature on gateways to prevent user spoofing.
Examples
# Enable the ARP active acknowledgement feature.
<Sysname> system-view
[Sysname] arp active-ack enable
Interface-based ARP attack suppression commands
arp attack-suppression check-interval
Use arp attack-suppression check-interval to set the check interval for interface-based ARP attack suppression.
Use undo arp attack-suppression check-interval to restore the default.
Syntax
arp attack-suppression check-interval interval
undo arp attack-suppression check-interval
Default
The check interval for interface-based ARP attack suppression is 5 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the check interval in seconds. The value range is in the range of 5 to 60.
Usage guidelines
The interface-based ARP attack suppression feature monitors the number of ARP requests that each Layer 3 interface received within the check interval. If the number on an interface exceeds the ARP attack suppression threshold, the device creates an ARP attack suppression entry for the interface.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the check interval for interface-based ARP attack suppression to 30 seconds.
<Sysname> system-view
[Sysname] arp attack-suppression check-interval 30
Related commands
arp attack-suppression enable per-interface
arp attack-suppression enable per-interface
Use arp attack-suppression enable per-interface to enable interface-based ARP attack suppression.
Use undo arp attack-suppression enable per-interface to disable interface-based ARP attack suppression.
Syntax
arp attack-suppression enable per-interface
undo arp attack-suppression enable per-interface
Default
Interface-based ARP attack suppression is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use this feature to rate limit ARP requests on each Layer 3 interface to prevent ARP spoofing attacks.
This feature monitors the number of ARP requests that each Layer 3 interface received within the check interval. If the number on an interface exceeds the ARP attack suppression threshold, the device creates an ARP attack suppression entry for the interface. Before the suppression time for the entry times out, the maximum receiving rate for ARP packets is limited on the interface.
During the suppression period, the device monitors the number of received ARP requests on the interface:
· If the number of the received ARP requests is higher than or equal to a calculated value, the device determines that the ARP attack still exists on the interface. When the suppression time expires, the device resets the suppression time for the entry and continues the ARP suppression on the interface.
The calculated value = (suppression time/check interval) × suppression threshold
· If the number of the received ARP requests is lower than the calculated value, the ARP suppression entry is deleted when the suppression time expires.
As a best practice, enable this feature on the gateway.
Examples
# Enable interface-based ARP attack suppression.
<Sysname> system-view
[Sysname] arp attack-suppression enable per-interface
Related commands
arp attack-suppression threshold
display arp attack-suppression per-interface
arp attack-suppression suppression-time
Use arp attack-suppression suppression-time to set the interface-based ARP attack suppression time.
Use undo arp attack-suppression suppression-time to restore the default.
Syntax
arp attack-suppression suppression-time time
undo arp attack-suppression suppression-time
Default
The interface-based ARP attack suppression time is 300 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
time: Specifies the suppression time in seconds. The value range is 60 to 6000.
Usage guidelines
When an interface-based ARP attack is detected on an interface, the device creates an ARP attack suppression entry for the interface, and starts the suppression time. Before the suppression time for the entry expires, the maximum receiving rate for ARP packets is limited on the interface.
During the suppression period, the device monitors the number of received ARP requests on the interface:
· If the number of the received ARP requests is higher than or equal to a calculated value, the device determines that the ARP attack still exists on the interface. When the suppression time expires, the device resets the suppression time for the entry and continues the ARP suppression on the interface.
The calculated value = (suppression time/check interval) × suppression threshold
· If the number of the received ARP requests is lower than the calculated value, the ARP suppression entry is deleted when the suppression time expires.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the interface-based ARP attack suppression time to 60 seconds.
<Sysname> system-view
[Sysname] arp attack-suppression suppression-time 60
Related commands
arp attack-suppression enable per-interface
arp attack-suppression threshold
Use arp attack-suppression threshold to set the threshold for triggering interface-based ARP attack suppression.
Use undo arp attack-suppression threshold to restore the default.
Syntax
arp attack-suppression threshold threshold-value
undo arp attack-suppression threshold
Default
The interface-based ARP attack suppression threshold is 1000.
Views
System view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the interface-based ARP attack suppression threshold in the range of 1 to 5000. This threshold defines the maximum number of ARP requests that can be received on an interface within the check interval.
Usage guidelines
When the number of ARP requests received on an interface within the check interval exceeds the threshold, the system determines that the interface is being attacked.
Examples
# Set the interface-based ARP attack suppression threshold to 3000.
<Sysname> system-view
[Sysname] arp attack-suppression threshold 3000
Related commands
arp attack-suppression enable per-interface
display arp attack-suppression per-interface
display arp attack-suppression configuration
Use display arp attack-suppression configuration to display the configuration of the interface-based ARP attack suppression.
Syntax
display arp attack-suppression configuration
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the configuration of the interface-based ARP attack suppression.
<Sysname> display arp attack-suppression configuration
ARP attack-suppression per-interface is enabled.
Check interval: 5 seconds Suppression time : 300 seconds
Threshold: 3000
<Sysname> display arp attack-suppression configuration
ARP attack-suppression per-interface is disabled.
Table 6 Command output
|
Field |
Description |
|
ARP attack-suppression per-interface is enabled. |
The interface-based ARP attack suppression is enabled. |
|
ARP attack-suppression per-interface is disabled. |
The interface-based ARP attack suppression is disabled. |
|
Check interval |
Check interval of the interface-based ARP attack suppression, in seconds. |
|
Suppression time |
Interface-based ARP attack suppression time in seconds. |
|
Threshold |
Threshold for triggering interface-based ARP attack suppression. |
Related commands
arp attack-suppression enable per-interface
display arp attack-suppression per-interface
Use display arp attack-suppression per-interface to display interface-based ARP attack suppression entries.
Syntax
display arp attack-suppression per-interface slot slot-number [ count | verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
verbose: Displays the detailed information about interface-based ARP attack suppression entries. If you do not specify this keyword, this command displays brief information about interface-based ARP attack suppression entries.
slot slot-number: Specifies a card by its slot number.
count: Displays the number of interface-based ARP attack suppression entries. If you do not specify this keyword, the command displays interface-based ARP attack suppression entries.
Usage guidelines
If you do not specify any parameter, this command displays brief information about all interface-based ARP attack suppression entries.
Examples
# Display interface-based ARP attack suppression entries for the specified slot.
<Sysname> display arp attack-suppression per-interface slot 10
Interface Suppression time (second) Packets dropped
XGE3/0/1 200 84467
XGE3/0/2 140 38293
# Display the total number of interface-based ARP attack suppression entries for the specified slot.
<Sysname> display arp attack-suppression per-interface slot 10 count
Total ARP attack suppression entries: 2
# Display the detailed information about interface-based ARP attack suppression entries for the specified slot.
<Sysname> display arp attack-suppression per-interface slot 10 verbose
Interface: Ten-GigabitEthernet3/0/1
Suppression time: 200 seconds
Hardware status: Succeeded
Attack time: 2018/06/04 15:53:34
Packets dropped: 84467
Interface: Ten-GigabitEthernet3/0/2
Suppression time: 140 seconds
Hardware status: Succeeded
Attack time: 2018/06/04 14:53:34
Packets dropped: 38293
Table 7 Command output
|
Field |
Description |
|
Interface |
Interface in the ARP attack suppression entry. |
|
Suppression time (second) |
Remaining suppression time, in seconds. |
|
Packets dropped |
Total number of dropped packets. |
|
Total ARP attack suppression entries |
Total number of interface-based ARP attack suppression entries. |
|
Hardware status |
Status of the interface-based ARP attack entry setting to hardware: · Succeeded. · Failed. · Not supported. · Not enough resources. |
|
Suppression time |
Remaining suppression time in seconds. |
|
Attack time |
Time when the interface-based ARP attack is detected. The time format is YYYY/MM/DD HH:MM:SS. |
Related commands
reset arp attack-suppression per-interface
reset arp attack-suppression per-interface statistics
display arp attack-suppression per-interface interface
Use display arp attack-suppression per-interface interface to display interface-based ARP attack suppression entries on an interface.
Syntax
display arp attack-suppression per-interface interface interface-type interface-number [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
verbose: Displays detailed information about interface-based ARP attack suppression entries. If you do not specify this keyword, the command displays brief information about ARP attack suppression entries.
Examples
# Display interface-based ARP attack suppression entries on Ten-GigabitEthernet 3/0/1.
<Sysname> display arp attack-suppression per-interface interface ten-gigabitethernet 3/0/1
Interface Suppression time (second) Packets dropped
XGE3/0/1 200 84467
# Display detailed information about the interface-based ARP attack suppression entries on Ten-GigabitEthernet 3/0/1.
<Sysname> display arp attack-suppression per-interface interface ten-gigabitethernet 3/0/1 verbose
Interface: Ten-GigabitEthernet3/0/1
Suppression time: 200 seconds
Hardware status: Succeeded
Attack time: 2018/06/04 15:53:34
Packets dropped: 84467
Table 8 Command output
|
Field |
Description |
|
Interface |
Interface in ARP attack suppression. |
|
Suppression time (second) |
Remaining suppression time, in seconds. |
|
Packets dropped |
Total number of dropped packets. |
|
Hardware status |
Status of the interface-based ARP attack entry setting to hardware: · Succeeded. · Failed. · Not supported. · Not enough resources. |
|
Suppression time |
Remaining suppression time in seconds. |
|
Attack time |
Time when the interface-based ARP attack is detected. The time format is YYYY/MM/DD HH:MM:SS. |
Related commands
reset arp attack-suppression per-interface
reset arp attack-suppression per-interface statistics
reset arp attack-suppression per-interface
Use reset arp attack-suppression per-interface to delete interface-based ARP attack suppression entries.
Syntax
reset arp attack-suppression per-interface [ interface interface-type interface-number ] [ slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number.
Usage guidelines
If you do not specify any parameter, this command deletes all interface-based ARP attack suppression entries on the device.
Examples
# Delete all interface-based ARP attack suppression entries on the device.
<Sysname> reset arp attack-interface per-interface
Related commands
display arp attack-suppression per-interface
reset arp attack-suppression per-interface statistics
Use reset arp attack-suppression per-interface statistics to clear statistics of packets dropped by interface-based ARP attack suppression.
Syntax
reset arp attack-suppression per-interface statistics [ interface interface-type interface-number ] [ slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number.
Usage guidelines
After you execute this command, the value for the Packets dropped field from the output of the display arp attack-suppression per-interface command will be cleared.
If you do not specify any parameter, this command clears all statistics of packets dropped by interface-based ARP attack suppression.
Examples
# Clear all statistics of packets dropped by interface-based ARP attack suppression.
<Sysname> reset arp attack-interface per-interface statistics
Related commands
display arp attack-suppression per-interface
Authorized ARP commands
arp authorized enable
Use arp authorized enable to enable authorized ARP on an interface.
Use undo arp authorized enable to disable authorized ARP on an interface.
Syntax
arp authorized enable
undo arp authorized enable
Default
Authorized ARP is disabled on the interface.
Views
Layer 3 Ethernet interface view
Layer 3 Ethernet subinterface view
Layer 3 aggregate interface view
Layer 3 aggregate subinterface view
VSI interface view
VLAN interface view
Predefined user roles
network-admin
Examples
# Enable authorized ARP on Ten-GigabitEthernet 3/0/1.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] arp authorized enable
ARP scanning and fixed ARP commands
arp fixup
Use arp fixup to convert existing dynamic ARP entries to static ARP entries.
Use undo arp fixup to convert valid static ARP entries to dynamic ARP entries and delete invalid static ARP entries.
Syntax
arp fixup
undo arp fixup
Views
System view
Predefined user roles
network-admin
Usage guidelines
The ARP conversion is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.
The static ARP entries converted from dynamic ARP entries have the same attributes as the manually configured static ARP entries. Due to the device's limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.
The static ARP entries after conversion can include the following entries:
· Existing dynamic and static ARP entries before conversion.
· New dynamic ARP entries learned during the conversion.
Dynamic ARP entries that are aged out during the conversion are not converted to static ARP entries.
To delete a static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command.
Examples
# Convert existing dynamic ARP entries to static ARP entries.
<Sysname> system-view
[Sysname] arp fixup
This command will convert existing dynamic ARP entries to static ARP entries. Continue? [Y/N]:Y
Fixup ARP. Please wait...
Fixup is complete.
arp scan
Use arp scan to trigger an ARP scanning in an address range.
Syntax
arp scan [ start-ip-address to end-ip-address ]
Views
Layer 3 Ethernet interface view
Layer 3 Ethernet subinterface view
Layer 3 aggregate interface view
Layer 3 aggregate subinterface view
VSI interface view
VLAN interface view
Predefined user roles
network-admin
Parameters
start-ip-address: Specifies the start IP address of the scanning range.
end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.
Usage guidelines
|
|
CAUTION: ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated. |
ARP scanning automatically creates ARP entries for devices in the specified address range. IP addresses already in existing ARP entries are not scanned.
If the interface's primary and secondary IP addresses are in the address range, the sender IP address in the ARP request is the address on the smallest network segment.
If no address range is specified, the device learns ARP entries for devices on the subnet where the primary IP address of the interface resides. The sender IP address in the ARP requests is the primary IP address of the interface.
The start and end IP addresses must be on the same subnet as the primary IP address or secondary IP addresses of the interface.
Examples
# Configure the device to scan neighbors on the network where the primary IP address of Ten-GigabitEthernet 3/0/1 resides.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] arp scan
# Configure the device to scan neighbors in an address range.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] arp scan 1.1.1.1 to 1.1.1.20
ARP gateway protection commands
arp filter source
Use arp filter source to enable ARP gateway protection for a gateway.
Use undo arp filter source to disable ARP gateway protection for a gateway.
Syntax
arp filter source ip-address
undo arp filter source ip-address
Default
ARP gateway protection is disabled.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IP address of a protected gateway.
Usage guidelines
You can enable ARP gateway protection for a maximum of eight gateways on an interface.
You cannot configure both the arp filter source and arp filter binding commands on the same interface.
Examples
# Enable ARP gateway protection for the gateway with IP address 1.1.1.1.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] arp filter source 1.1.1.1
ARP filtering commands
arp filter binding
Use arp filter binding to enable ARP filtering and configure an ARP permitted entry.
Use undo arp filter binding to remove an ARP permitted entry.
Syntax
arp filter binding ip-address mac-address
undo arp filter binding ip-address
Default
ARP filtering is disabled.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
ip-address: Specifies a permitted sender IP address.
mac-address: Specifies a permitted sender MAC address.
Usage guidelines
If the sender IP and MAC addresses of an ARP packet match an ARP permitted entry, the ARP packet is permitted. If the sender IP and MAC addresses of an ARP packet do not match an ARP permitted entry, the ARP packet is discarded.
You can configure a maximum of eight ARP permitted entries on an interface.
You cannot configure both the arp filter source and arp filter binding commands on the same interface.
Examples
# Enable ARP filtering and configure an ARP permitted entry.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] arp filter binding 1.1.1.1 0e10-0213-1023
ARP sender IP address checking commands
arp sender-ip-range
Use arp sender-ip-range to enable the ARP sender IP address checking feature and specify the IP address range.
Use undo arp sender-ip-range to disable the ARP sender IP address checking feature.
Syntax
arp sender-ip-range start-ip-address end-ip-address
undo arp sender-ip-range
Default
The ARP sender IP address checking feature is disabled.
Views
VLAN view
Predefined user roles
network-admin
Parameters
start-ip-address: Specifies the start IP address.
end-ip-address: Specifies the end IP address. The end IP address must be higher than or equal to the start IP address.
Usage guidelines
This feature enables a device to discard an ARP packet if its sender IP address is not within the specified IP address range.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable the ARP sender IP address checking feature in VLAN 2 and specify the IP address range 1.1.1.1 to 1.1.1.20.
<Sysname> system-view
[Sysname] vlan 2
[Sysname–vlan2] arp sender-ip-range 1.1.1.1 1.1.1.20
Display and clear commands for dropped ARP packet statistics
display driver arp packet drop
Use display driver arp packet drop to display statistics for dropped ARP packets.
Syntax
display driver arp packet drop slot slot-number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number.
Usage guidelines
Use this command to display the number of ARP requests dropped because of rate limit for packets sent by hardware.
Examples
# Display statistics for dropped ARP packets in slot 10.
<Sysname> display driver arp packet drop slot 10
Dropped by arp ratelimit: 0
Dropped by arp attack: 0
Table 9 Command output
|
Field |
Description |
|
Dropped by arp ratelimit |
Number of packets dropped because of rate limit for packets sent by hardware. |
|
Dropped by arp attack |
Number of packets dropped because of the ARP attack. The value is always 0. |
Related commands
reset driver arp packet drop
reset driver arp packet drop
Use reset driver arp packet drop to clear statistics for dropped ARP packets.
Syntax
reset driver arp packet drop slot slot-number
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number.
Examples
# Clear statistics for dropped ARP packets on slot 10.
<Sysname> reset driver arp packet drop slot 10
Related commands
display driver arp packet drop
