If unresolvable packets received from an IP address within 5 seconds exceed the limit, the device stops processing the packets from that IP address until the 5 seconds elapse.

Examples

# Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.

<Sysname> system-view

[Sysname] arp source-suppression limit 100

Related commands

display arp source-suppression

Use display arp source-suppression to display information about the current ARP source suppression configuration.

Syntax

display arp source-suppression

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about the current ARP source suppression configuration.

<Sysname> display arp source-suppression

ARP source suppression is enabled

Current suppression limit: 100

Table 1 Command output

Field	Description
Current suppression limit	Maximum number of unresolvable packets that can be processed per source IP address within 5 seconds.

ARP packet rate limit commands

arp rate-limit

Use arp rate-limit to enable the ARP packet rate limit feature on an interface.

Use undo arp rate-limit to disable the ARP packet rate limit feature on an interface.

Syntax

arp rate-limit [ pps ]

undo arp rate-limit

Default

The ARP packet rate limit feature is enabled on an interface.

Views

Layer 3 Ethernet interface view

Layer 3 aggregate interface view

Predefined user roles

network-admin

Parameters

pps: Specifies the upper limit for ARP packet rate in pps. The value range for this argument is 5 to 200.

Usage guidelines

If you do not specify a value for the pps argument in the arp rate-limit command, the default rate limit value applies. Packets that exceed the rate limit are discarded.

Examples

# Enable the ARP packet rate limit feature on Layer 3 Ethernet interface GigabitEthernet 1/0/12, and set the maximum ARP packet rate to 50 pps.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/12

[Sysname-GigabitEthernet1/0/12] arp rate-limit 50

arp rate-limit log enable

Use arp rate-limit log enable to enable logging for ARP packet rate limit.

Use undo arp rate-limit log enable to disable logging for ARP packet rate limit.

Syntax

arp rate-limit log enable

undo arp rate-limit log enable

Default

Logging for ARP packet rate limit is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

When logging for ARP packet rate limit is enabled, the device sends the highest threshold-crossed ARP packet rate within the sending interval in a log message to the information center. You can configure the information center module to set the log output rules. For more information about information center, see Network Management and Monitoring Configuration Guide.

Examples

# Enable logging for ARP packet rate limit.

<Sysname> system-view

[Sysname] arp rate-limit log enable

arp rate-limit log interval

Use arp rate-limit log interval to set the notification and log message sending interval for ARP packet rate limit.

Use undo arp rate-limit log interval to restore the default.

Syntax

arp rate-limit log interval interval

undo arp rate-limit log interval

Default

The device sends notifications or log messages every 60 seconds when the rate of ARP packets received on an interface exceeds the limit.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies an interval in the range of 1 to 86400 seconds.

Usage guidelines

To change the default interval and activate it, you must enable ARP packet rate limit and enable sending notifications or log messages for ARP packet rate limit.

Examples

# Set the device to send notifications and log messages every 120 seconds when the rate of ARP packets received on an interface exceeds the limit.

<Sysname> system-view

[Sysname] arp rate-limit log interval 120

Related commands

arp rate-limit

arp rate-limit log enable

snmp-agent trap enable arp

Use snmp-agent trap enable arp to enable SNMP notifications for ARP.

Use undo snmp-agent trap enable arp to disable SNMP notifications for ARP.

Syntax

snmp-agent trap enable arp [ rate-limit ]

undo snmp-agent trap enable arp [ rate-limit ]

Default

SNMP notifications for ARP are disabled.

Views

System view

Predefined user roles

network-admin

Parameters

rate-limit: Specifies the ARP packet rate limit feature.

Usage guidelines

After you enable SNMP notifications for ARP, the device generates a notification that includes the highest threshold-crossed ARP packet rate within the sending interval.

For ARP event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

Examples

# Enable SNMP notifications for ARP packet rate limit.

<Sysname> system-view

[Sysname] snmp-agent trap enable arp rate-limit

Source MAC-based ARP attack detection commands

arp source-mac

Use arp source-mac to enable the source MAC-based ARP attack detection feature and specify a handling method.

Use undo arp source-mac to disable the source MAC-based ARP attack detection feature.

Syntax

arp source-mac { filter | monitor }

undo arp source-mac [ filter | monitor ]

Default

The source MAC-based ARP attack detection feature is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

filter: Specifies the filter handling method.

monitor: Specifies the monitor handling method.

Usage guidelines

Configure this feature on the gateways.

This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within the check interval exceeds a threshold, the device generates an ARP attack entry for the MAC address. Before the entry ages out, the device handles the attack by using either of the following methods:

· Monitor—Only generates log messages.

· Filter—Generates log messages and filters out subsequent ARP packets from the MAC address.

Make sure you have enabled the ARP logging feature before enabling the source MAC-based ARP attack detection feature. For information about the ARP logging feature, see Layer 3—IP Services Configuration Guide.

If you do not specify any handling method in the undo arp source-mac command, the command disables this feature.

Examples

# Enable the source MAC-based ARP attack detection feature and specify the filter handling method.

<Sysname> system-view

[Sysname] arp source-mac filter

arp source-mac aging-time

Use arp source-mac aging-time to set the aging time for ARP attack entries.

Use undo arp source-mac aging-time to restore the default.

Syntax

arp source-mac aging-time time

undo arp source-mac aging-time

Default

The aging time for ARP attack entries is 300 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time: Sets the aging time for ARP attack entries, in the range of 60 to 6000 seconds.

Examples

# Set the aging time for ARP attack entries to 60 seconds.

<Sysname> system-view

[Sysname] arp source-mac aging-time 60

arp source-mac check-interval

Use arp source-mac check-interval to set the check interval for source MAC-based ARP attack detection.

Use undo arp source-mac check-interval to restore the default.

Syntax

arp source-mac check-interval interval

undo arp source-mac check-interval

Default

The check interval for source MAC-based ARP attack detection is 5 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the check interval in seconds. The value range is 5 to 60.

Usage guidelines

The source MAC-based ARP attack detection feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within the check interval exceeds the threshold, the device generates an ARP attack entry for the MAC address.

If attacks occur frequently in your network, set a short check interval so that source MAC-based ARP attacks can be detected in a timely manner. If attacks seldom occur, you can set a long check interval.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the check interval for source MAC-based ARP attack detection to 30 seconds.

<Sysname> system-view

[Sysname] arp source-mac check-interval 30

Related commands

arp source-mac

display arp source-mac configuration

arp source-mac exclude-mac

Use arp source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection.

Use undo arp source-mac exclude-mac to remove the excluded MAC addresses from source MAC-based ARP attack detection.

Syntax

arp source-mac exclude-mac mac-address&<1-n>

undo arp source-mac exclude-mac [ mac-address&<1-n> ]

Default

No MAC addresses are excluded from source MAC-based ARP attack detection.

Views

System view

Predefined user roles

network-admin

Parameters

mac-address&<1-n>: Specifies a MAC address list. The mac-address argument indicates an excluded MAC address in the format of H-H-H. &<1-n> indicates the number of excluded MAC addresses that you can configure.

Usage guidelines

If you do not specify a MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses.

Examples

# Exclude a MAC address from source MAC-based ARP attack detection.

<Sysname> system-view

[Sysname] arp source-mac exclude-mac 001e-1200-0213

arp source-mac threshold

Use arp source-mac threshold to set the threshold for source MAC-based ARP attack detection. If the number of ARP packets sent from a MAC address within the check interval exceeds this threshold, the device recognizes this as an attack.

Use undo arp source-mac threshold to restore the default.

Syntax

arp source-mac threshold threshold-value

undo arp source-mac threshold

Default

The threshold for source MAC-based ARP attack detection is 30.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range for this argument is 1 to 5000.

Examples

# Set the threshold for source MAC-based ARP attack detection to 30.

<Sysname> system-view

[Sysname] arp source-mac threshold 30

display arp source-mac

Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP attack detection.

Syntax

display arp source-mac interface interface-type interface-number [ slot slot-number ] [ verbose ]

display arp source-mac mac mac-address slot slot-number [ verbose ]

display arp source-mac slot slot-number [ count | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you specify a virtual interface, you can also specify a location on the device to display entries for the member physical interfaces that the virtual interface has at that location.

mac mac-address: Specifies a MAC address, in the format of H-H-H.

slot slot-number: Specifies an IRF member device by its ID.

verbose: Displays the detailed information about source MAC-based ARP attack entries. If you do not specify this keyword, this command displays the brief information about the source MAC-based ARP attack entries.

count: Displays the number of ARP attack entries detected by source MAC-based ARP attack detection. If you do not specify this keyword, the command displays ARP attack entries detected by source MAC-based ARP attack detection.

Usage guidelines

The slot slot-number option is supported only when the interface interface-type interface-number option specifies a virtual interface.

Virtual interfaces can be Layer 3 aggregate interfaces and Layer 3 aggregate subinterfaces.

If you do not specify any parameters, the command displays all ARP attack entries.

Examples

# Display the ARP attack entries detected by source MAC-based ARP attack detection on GigabitEthernet 1/0/12.

<Sysname> display arp source-mac interface gigabitethernet 1/0/12

Source MAC VLAN ID Interface Aging time (sec) Packets dropped

23f3-1122-3344 -- GE1/0/13 10 18446744073709551615

# Display the number of source MAC-based ARP attack entries.

<Sysname> display arp source-mac count

Total source MAC-based ARP attack detection entries: 1

# Display the detailed information about ARP attack entries detected by source MAC-based ARP attack detection on GigabitEthernet 1/0/12.

<Sysname> display arp source-mac interface gigabitethernet 1/0/12 verbose

Source MAC: 0001-0001-0001

VLAN ID: 4094

Hardware status: Succeeded

Aging time: 10 seconds

Interface: GigabitEthernet1/0/12

Attack time: 2018/06/04 15:53:34

Packets dropped: 84467

Table 2 Command output

Field	Description
Source MAC	Source MA address in the source MAC-based ARP attack entry.
VLAN ID	This field is not supported in the current software version. ID of the VLAN where the source MAC-based ARP attack is detected.
Interface	Interface where the source MAC-based ARP attack is detected.
Aging time	Remaining lifetime of the source MAC-based ARP attack entry, in seconds.
Packets dropped	Total number of packets dropped by source MAC-based ARP attack detection.
Total source MAC-based ARP attack detection entries	Total number of source MAC-based ARP attack entries.
Hardware status	Status of the source MAC-based ARP attack entry setting to hardware: · Succeeded · Failed · Not supported · Not enough resources
Attack time	Time when the source MAC-based ARP attack is detected. The formation of the time is YYYY/MM/DD HH:MM:SS.

Related commands

reset arp source-mac

reset arp source-mac statistics

display arp source-mac configuration

Use display arp source-mac configuration to display the configuration of source MAC-based ARP attack detection.

Syntax

display arp source-mac configuration

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of source MAC-based ARP attack detection.

<Sysname> display arp source-mac configuration

ARP source-mac is enabled.

Mode: Filter Check interval: 5 seconds

Threshold: 20 Aging time: 300 seconds

<Sysname> display arp source-mac configuration

ARP source-mac is disabled.

Table 3 Command output

Field	Description
ARP source-mac is enabled.	The source MAC-based ARP attack detection is enabled.
ARP source-mac is disabled.	The source MAC-based ARP attack detection is disabled.
Mode	Source MAC-based ARP attack detection mode: · Filter. · Monitor.
Check interval	Check interval of the source MAC-based ARP attack detection, in seconds.
Threshold	Threshold for source MAC-based ARP attack detection.
Aging time	Aging time of the source MAC-based ARP attack entry, in seconds.

Related commands

arp source-mac

arp source-mac aging-time

arp source-mac check-interval

arp source-mac exclude-mac

arp source-mac threshold

display arp source-mac statistics

Use display arp source-mac statistics to display statistics for packets dropped by source MAC-based ARP attack detection.

Syntax

display arp source-mac statistics slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its ID.

Examples

# Display statistics for packets dropped by source MAC-based ARP attack detection.

<Sysname> display arp source-mac statistics

Dropped ARP packets:123321

Table 4 Command output

Field	Description
Dropped ARP packets	Number of packets dropped by source MAC-based ARP attack detection.

Related commands

arp source-mac

reset arp source-mac

Use reset arp source-mac to delete source MAC-based ARP attack entries.

Syntax

reset arp source-mac [ interface interface-type interface-number | mac mac-address ] [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

mac mac-address: Specify a MAC address, in the format of H-H-H.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command deletes the source MAC-based ARP attack entries on the master device.

Usage guidelines

If you do not specify any parameter, the command deletes all source MAC-based ARP attack entries on the device.

Examples

# Delete all source MAC-based ARP attack entries on the device.

<Sysname> reset arp source-mac

Related commands

display arp source-mac

reset arp source-mac statistics

Use reset arp source-mac statistics to clear statistics of packets dropped by source MAC-based ARP attack detection.

Syntax

reset arp source-mac statistics [ interface interface-type interface-number | mac mac-address ] [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

mac mac-address: Specifies a MAC address, in the format of H-H-H.

slot slot-number: Specifies an IRF member device by its ID.

Usage guidelines

If you do not specify any parameter, the command clears all statistics of packets dropped by source MAC-based ARP attack detection.

Examples

# Clear all statistics of packets dropped by source MAC-based ARP attack detection.

<Sysname> reset arp source-mac statistics

Related commands

display arp source-mac statistics

ARP packet source MAC consistency check commands

arp valid-check enable

Use arp valid-check enable to enable ARP packet source MAC address consistency check.

Use undo arp valid-check enable to disable ARP packet source MAC address consistency check.

Syntax

arp valid-check enable

undo arp valid-check enable

Default

ARP packet source MAC address consistency check is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Configure this feature on gateways. The gateways can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.

Examples

# Enable ARP packet source MAC address consistency check.

<Sysname> system-view

[Sysname] arp valid-check enable

display arp valid-check statistics

Use display arp valid-check statistics to display statistics for packets dropped by ARP packet source MAC address consistency check.

Syntax

display arp valid-check statistics slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its ID.

Examples

# Display statistics for packets dropped by ARP packet source MAC address consistency check.

<Sysname> display arp valid-check statistics

Dropped ARP packets:123321

Table 5 Command output

Field	Description
Dropped ARP packets	Number of packets dropped by ARP packet source MAC address consistency check.

Related commands

arp valid-check enable

reset arp valid-check statistics

Use reset arp valid-check statistics to clear statistics for packets dropped by ARP packet source MAC address consistency check.

Syntax

reset arp valid-check statistics { all | slot slot-number }

Views

User view

Predefined user roles

network-admin

Parameters

all: Specifies all statistics for packets dropped by ARP packet source MAC address consistency check.

slot slot-number: Specifies an IRF member device by its ID.

Examples

# Clear statistics for packets dropped by ARP packet source MAC address consistency check.

<Sysname> reset arp valid-check statistics

Related commands

display arp valid-check statistics

ARP active acknowledgement commands

arp active-ack enable

Use arp active-ack enable to enable ARP active acknowledgement.

Use undo arp active-ack enable to disable ARP active acknowledgement.

Syntax

arp active-ack [ strict ] enable

undo arp active-ack [ strict ] enable

Default

The ARP active acknowledgement feature is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

strict: Enables strict mode for ARP active acknowledgement.

Usage guidelines

Configure this feature on gateways to prevent user spoofing.

Examples

# Enable ARP active acknowledgement.

<Sysname> system-view

[Sysname] arp active-ack enable

Authorized ARP commands

arp authorized enable

Use arp authorized enable to enable authorized ARP on an interface.

Use undo arp authorized enable to disable authorized ARP on an interface.

Syntax

arp authorized enable

undo arp authorized enable

Default

Authorized ARP is disabled on the interface.

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

Predefined user roles

network-admin

Examples

# Enable authorized ARP on GigabitEthernet 1/0/12.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/12

[Sysname-GigabitEthernet1/0/12] arp authorized enable

ARP scanning and fixed ARP commands

arp fixup

Use arp fixup to convert existing dynamic ARP entries to static ARP entries.

Use undo arp fixup to convert valid static ARP entries to dynamic ARP entries and delete invalid static ARP entries.

Syntax

arp fixup

undo arp fixup

Views

System view

Predefined user roles

network-admin

Usage guidelines

The ARP conversion is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.

The static ARP entries converted from dynamic ARP entries have the same attributes as the manually configured static ARP entries. Due to the device's limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.

The static ARP entries after conversion can include the following entries:

· Existing dynamic and static ARP entries before conversion.

· New dynamic ARP entries learned during the conversion.

Dynamic ARP entries that are aged out during the conversion are not converted to static ARP entries.

To delete a static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command.

Examples

# Convert existing dynamic ARP entries to static ARP entries.

<Sysname> system-view

[Sysname] arp fixup

arp scan

Use arp scan to trigger an ARP scanning in an address range.

Syntax

arp scan [ start-ip-address to end-ip-address ]

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IP address of the scanning range.

end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.

Usage guidelines

ARP scanning automatically creates ARP entries for devices in the specified address range. IP addresses already in existing ARP entries are not scanned.

If the interface's primary and secondary IP addresses are in the address range, the sender IP address in the ARP request is the address on the smallest network segment.

If no address range is specified, the device learns ARP entries for devices on the subnet where the primary IP address of the interface resides. The sender IP address in the ARP requests is the primary IP address of the interface.

The start and end IP addresses must be on the same subnet as the primary IP address or secondary IP addresses of the interface.

ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.

Examples

# Configure the device to scan neighbors on the network where the primary IP address of GigabitEthernet 1/0/12 resides.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/12

[Sysname-GigabitEthernet1/0/12] arp scan

# Configure the device to scan neighbors in an address range.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/12

[Sysname-GigabitEthernet1/0/12] arp scan 1.1.1.1 to 1.1.1.20

10-Security Command Reference

display arp source-suppression

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us