If unresolvable packets received from an IP address within 5 seconds exceed the limit, the device stops processing the packets from that IP address until the 5 seconds elapse.

Examples

# Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.

<Sysname> system-view

[Sysname] arp source-suppression limit 100

Related commands

display arp source-suppression

Use display arp source-suppression to display information about the current ARP source suppression configuration.

Syntax

display arp source-suppression

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about the current ARP source suppression configuration.

<Sysname> display arp source-suppression

ARP source suppression is enabled

Current suppression limit: 100

Table 1 Command output

Field	Description
Current suppression limit	Maximum number of unresolvable packets that can be processed per source IP address within 5 seconds.

ARP packet rate limit commands

arp rate-limit

Use arp rate-limit to enable the ARP packet rate limit feature on an interface.

Use undo arp rate-limit to disable the ARP packet rate limit feature on an interface.

Syntax

arp rate-limit [ pps ]

undo arp rate-limit

Default

The ARP packet rate limit feature is enabled on an interface.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Layer 3 Ethernet interface view

Layer 3 aggregate interface view

Predefined user roles

network-admin

Parameters

pps: Specifies the upper limit for ARP packet rate in pps. The value range for this argument is 5 to 2000.

Usage guidelines

If you do not specify a value for the pps argument in the arp rate-limit command, the default rate limit value applies. Packets that exceed the rate limit are discarded.

Examples

# Enable the ARP packet rate limit feature on Twenty-FiveGigE 1/0/1, and set the maximum ARP packet rate to 50 pps.

<Sysname> system-view

[Sysname] interface twenty-fivegige 1/0/1

[Sysname-Twenty-FiveGigE1/0/1] arp rate-limit 50

arp rate-limit log enable

Use arp rate-limit log enable to enable logging for ARP packet rate limit.

Use undo arp rate-limit log enable to disable logging for ARP packet rate limit.

Syntax

arp rate-limit log enable

undo arp rate-limit log enable

Default

Logging for ARP packet rate limit is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

When logging for ARP packet rate limit is enabled, the device sends the highest threshold-crossed ARP packet rate within the sending interval in a log message to the information center. You can configure the information center module to set the log output rules. For more information about information center, see System Management Configuration Guide.

Examples

# Enable logging for ARP packet rate limit.

<Sysname> system-view

[Sysname] arp rate-limit log enable

arp rate-limit log interval

Use arp rate-limit log interval to set the notification and log message sending interval for ARP packet rate limit.

Use undo arp rate-limit log interval to restore the default.

Syntax

arp rate-limit log interval interval

undo arp rate-limit log interval

Default

The device sends notifications or log messages every 60 seconds when the rate of ARP packets received on an interface exceeds the limit.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies an interval in the range of 1 to 86400 seconds.

Usage guidelines

To change the default interval and activate it, you must enable ARP packet rate limit and enable sending notifications or log messages for ARP packet rate limit.

Examples

# Set the device to send notifications and log messages every 120 seconds when the rate of ARP packets received on an interface exceeds the limit.

<Sysname> system-view

[Sysname] arp rate-limit log interval 120

Related commands

arp rate-limit

arp rate-limit log enable

snmp-agent trap enable arp

Use snmp-agent trap enable arp to enable SNMP notifications for ARP.

Use undo snmp-agent trap enable arp to disable SNMP notifications for ARP.

Syntax

snmp-agent trap enable arp [ rate-limit ]

undo snmp-agent trap enable arp [ rate-limit ]

Default

SNMP notifications for ARP is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

rate-limit: Specifies the ARP packet rate limit feature.

Usage guidelines

After you enable SNMP notifications for ARP, the device generates a notification that includes the highest threshold-crossed ARP packet rate within the sending interval.

For ARP event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

Examples

# Enable SNMP notifications for ARP packet rate limit.

<Sysname> system-view

[Sysname] snmp-agent trap enable arp rate-limit

ARP packet source MAC consistency check commands

arp valid-check enable

Use arp valid-check enable to enable ARP packet source MAC address consistency check.

Use undo arp valid-check enable to disable ARP packet source MAC address consistency check.

Syntax

arp valid-check enable

undo arp valid-check enable

Default

ARP packet source MAC address consistency check is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Configure this feature on gateways. The gateways can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.

Examples

# Enable ARP packet source MAC address consistency check.

<Sysname> system-view

[Sysname] arp valid-check enable

display arp valid-check statistics

Use display arp valid-check statistics to display statistics for packets dropped by ARP packet source MAC address consistency check.

Syntax

display arp valid-check statistics slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies the slot number of the device, which is fixed at 1.

Examples

# Display statistics for packets dropped by ARP packet source MAC address consistency check in the specified slot.

<Sysname> display arp valid-check statistics slot 1

Dropped ARP packets: 23321

Table 2 Command output

Field	Description
Dropped ARP packets	Number of packets dropped by ARP packet source MAC address consistency check.

‌

Related commands

arp valid-check enable

reset arp valid-check statistics

Use reset arp valid-check statistics to clear statistics for packets dropped by ARP packet source MAC address consistency check.

Syntax

reset arp valid-check statistics

Views

User view

Predefined user roles

network-admin

Parameters

all: Specifies all statistics for packets dropped by ARP packet source MAC address consistency check.

slot slot-number: Specifies the slot number of the device, which is fixed at 1.

Examples

# Clear statistics for packets dropped by ARP packet source MAC address consistency check.

<Sysname> reset arp valid-check statistics

Related commands

display arp valid-check statistics

ARP active acknowledgement commands

arp active-ack enable

Use arp active-ack enable to enable the ARP active acknowledgement feature.

Use undo arp active-ack enable to disable the ARP active acknowledgement feature.

Syntax

arp active-ack [ strict ] enable

undo arp active-ack [ strict ] enable

Default

The ARP active acknowledgement feature is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

strict: Enables strict mode for ARP active acknowledgement.

Usage guidelines

Configure this feature on gateways to prevent user spoofing.

Examples

# Enable the ARP active acknowledgement feature.

<Sysname> system-view

[Sysname] arp active-ack enable

ARP scanning and fixed ARP commands

arp fixup

Use arp fixup to convert existing dynamic ARP entries to static ARP entries.

Use undo arp fixup to convert valid static ARP entries to dynamic ARP entries and delete invalid static ARP entries.

Syntax

arp fixup

undo arp fixup

Views

System view

Predefined user roles

network-admin

Usage guidelines

The ARP conversion is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.

The static ARP entries converted from dynamic ARP entries have the same attributes as the manually configured static ARP entries. Due to the device's limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.

The static ARP entries after conversion can include the following entries:

· Existing dynamic and static ARP entries before conversion.

· New dynamic ARP entries learned during the conversion.

Dynamic ARP entries that are aged out during the conversion are not converted to static ARP entries.

To delete a static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command.

Examples

# Convert existing dynamic ARP entries to static ARP entries.

<Sysname> system-view

[Sysname] arp fixup

arp scan

Use arp scan to trigger an ARP scanning in an address range.

Syntax

arp scan [ start-ip-address to end-ip-address ]

Views

Layer 3 Ethernet interface view

Layer 3 aggregate interface view

VSI interface view

VLAN interface view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IP address of the scanning range.

end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.

Usage guidelines

CAUTION:

ARP scanning will take some time and occupy a lot of system and network resources. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.

ARP scanning automatically creates ARP entries for devices in the specified address range. IP addresses already in existing ARP entries are not scanned.

If the interface's primary and secondary IP addresses are in the address range, the sender IP address in the ARP request is the address on the smallest network segment.

If no address range is specified, the device learns ARP entries for devices on the subnet where the primary IP address of the interface resides. The sender IP address in the ARP requests is the primary IP address of the interface.

The start and end IP addresses must be on the same subnet as the primary IP address or secondary IP addresses of the interface.

Examples

# Configure the device to scan the neighbors on the network where the primary IP address of VLAN-interface 2 resides.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] arp scan

# Configure the device to scan neighbors in an address range.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] arp scan 1.1.1.1 to 1.1.1.20

arp scan auto enable

Use arp scan auto enable to enable automatic ARP scanning in a specified address range on an interface.

Use undo arp scan auto enable to clear all or specified ARP scanning ranges for subnets on an interface.

Syntax

arp scan auto enable [ start-ip-address to end-ip-address [ source-addr source-ip-address ] ]

undo arp scan auto enable [ start-ip-address to end-ip-address ]

Default

Automatic ARP scanning is disabled on an interface.

Views

Layer 3 Ethernet interface view

Layer 3 aggregate interface view

VSI interface view

VLAN interface view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IP address of the scanning range.

to end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address. The maximum number of IP addresses in the IP range is 65535.

source-addr source-ip-address: Specifies the source address for the ARP requests. The source-ip-address argument can be any valid IP addresses. If you do not specify this option, the interface uses its IP address as the source address of the ARP requests.

Usage guidelines

Automatic ARP scanning enables an interface to update its ARP entries in time. It automatically sends ARP requests to the IP addresses in the specified address range to create ARP entries for them. IP addresses that already have ARP entries are not scanned any more.

If you know the IP address range assigned to the neighbors on the LAN, you can specify the assigned IP address range as the ARP scanning range to shorten the scanning waiting time. You can use this command to specify a maximum of 16 scanning ranges for different subnets. The subnet addresses for each scanning range cannot overlap with each other.

If you specify the ARP scanning range without specifying the source address for sending ARP requests, the interface scans the IP address intersection of the scanning range and the subnet of the interface. If the interface is configured with multiple subnet addresses that intersect with the scanning range, the source address for the ARP requests is the IP address with the longest subnet mask. If the subnet masks are of the same length, the source address is the primary IP address for the interface. If all IP addresses in the scanning range are on the same subnet of the interface, the source address is that subnet IP address.

If you specify the ARP scanning range and source address for the sending ARP requests, the interface scans all IP addresses in the scanning range without considering the subnet addresses of the interface.

If the ARP scanning range is not specified, the interface scans neighbors on the subnets where the primary IP address and secondary IP addresses of the interface reside. The source IP addresses for the ARP requests are the primary IP address and secondary IP addresses for the interface.

You can set the ARP request sending rate by using the arp scan auto send-rate command.

If you trigger ARP scanning and enable automatic ARP scanning on an interface, both of them take effect. As a best practice, enable automatic ARP scanning only on networks where user come online and go offline frequently.

Examples

# Configure the device to automatically scan the neighbors on the network where the primary IP address of VLAN-interface 2 resides.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] arp scan auto enable

Related commands

arp scan auto send-rate

Use arp scan auto send-rate to set the ARP packet sending rate for automatic ARP scanning.

Use undo arp scan auto send-rate to restore the default.

Syntax

arp scan auto send-rate { ppm ppm | pps }

undo arp scan auto send-rate

Default

The device sends ARP packets at the rate of 48 pps during automatic ARP scanning.

Views

System view

Predefined user roles

network-admin

Parameters

ppm ppm: Specifies the ARP packet sending rate, in packets per minute (ppm). The value range for the ppm argument is 10 to 600, and the value must be a multiple of 10.

pps: Specifies the ARP packet sending rate, in packets per second (pps). The value range for the pps argument is 10 to 1000, and the value must be a multiple of 10.

Usage guidelines

You can set the ARP packet sending rate if the scanning range has a large number of IP addresses. This setting can avoid high CPU usage and heavy network load caused by a burst of ARP traffic.

When you set the sending rate to a large value, the device might use a rate lower than the specified rate to ensure the device performance.

Examples

# Set the ARP packet sending rate to 10 pps during automatic ARP scanning.

<Sysname> system-view

[Sysname] arp scan auto send-rate 10

Related commands

arp scan auto enable

ARP gateway protection commands

arp filter source

Use arp filter source to enable ARP gateway protection for a gateway.

Use undo arp filter source to disable ARP gateway protection for a gateway.

Syntax

arp filter source ip-address

undo arp filter source ip-address

Default

ARP gateway protection is disabled.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IP address of a protected gateway.

Usage guidelines

You can enable ARP gateway protection for a maximum of eight gateways on an interface.

You cannot configure both the arp filter source and arp filter binding commands on the same interface.

Examples

# Enable ARP gateway protection for the gateway with IP address 1.1.1.1.

<Sysname> system-view

[Sysname] interface twenty-fivegige 1/0/1

[Sysname-Twenty-FiveGigE1/0/1] arp filter source 1.1.1.1

ARP filtering commands

arp filter binding

Use arp filter binding to enable ARP filtering and configure an ARP permitted entry.

Use undo arp filter binding to remove an ARP permitted entry.

Syntax

arp filter binding ip-address mac-address

undo arp filter binding ip-address

Default

ARP filtering is disabled.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies a permitted sender IP address.

mac-address: Specifies a permitted sender MAC address.

Usage guidelines

If the sender IP and MAC addresses of an ARP packet match an ARP permitted entry, the ARP packet is permitted. If the sender IP and MAC addresses of an ARP packet do not match an ARP permitted entry, the ARP packet is discarded.

You can configure a maximum of eight ARP permitted entries on an interface.

You cannot configure both the arp filter source and arp filter binding commands on the same interface.

Examples

# Enable ARP filtering and configure an ARP permitted entry.

<Sysname> system-view

[Sysname] interface twenty-fivegige 1/0/1

[Sysname-Twenty-FiveGigE1/0/1] arp filter binding 1.1.1.1 0e10-0213-1023

ARP packet sender IP address checking commands

arp sender-ip-range

Use arp sender-ip-range to specify the sender IP address range for ARP packet checking.

Use undo arp sender-ip-range to restore the default.

Syntax

arp sender-ip-range start-ip-address end-ip-address

undo arp sender-ip-range

Default

No sender IP address range is specified for ARP packet checking.

Views

VLAN view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IP address.

end-ip-address: Specifies the end IP address. The end IP address must be higher than or equal to the start IP address.

Usage guidelines

The gateway discards an ARP packet if its sender IP address is not within the allowed IP address range.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the sender IP address range 1.1.1.1 to 1.1.1.20 for ARP packet checking in VLAN 2.

<Sysname> system-view

[Sysname] vlan 2

[Sysname–vlan2] arp sender-ip-range 1.1.1.1 1.1.1.20

11-Security Command Reference

display arp source-suppression

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us