· If you enable ARP active acknowledgement notifications, the device sends a notification to the SNMP module when it does not establish an ARP entry due to active acknowledgement. The notification includes the sender IP address in the received ARP packet and the interface that receives the ARP packet.

· If you enable rate limit notifications for sending ARP Miss messages or ARP packets, the device sends the highest threshold-crossed rate as a notification to the SNMP module when the sending rate exceeds the custom threshold.

· If you enable notifications for packet dropping due to ARP attack detection, the device sends a notification to the SNMP module when a packet is dropped by ARP attack detection. The notification includes the VLAN ID, service ID, and VSI for the dropped packet and packet drop reason.

· If you enable ARP entry modification notifications, the device sends a notification to the SNMP module when it detects that the ARP entry for a user might be changed to the attacker's ARP entry. The notification includes the sender IP and MAC addresses in the ARP attack packet.

· If you enable ARP entry limit notifications, the device sends the current number of ARP entries as a notification to the SNMP module when the number of global ARP entries exceeds the alarm threshold.

· If you enable ARP gateway protection notifications, the device sends a notification to the SNMP module when it is attacked by gateway spoofing attacks. The notification includes the sender IP and MAC addresses in the ARP attack packet dropped by ARP gateway protection, and index of the interface that receives the ARP attack packet. When an ARP packet with the same sender IP address triggers the SNMP notification again within 3 minutes, the device sends a recovery notification to the SNMP module.

· If you enable endpoint and local device conflict notifications, the device sends a notification to the SNMP module when an endpoint and local device conflict occurs. The notification includes the sender IP address, sender MAC address, target IP address, and target MAC address in the conflicting ARP packet.

· If you enable MAC address inconsistency notifications, the device sends a notification to the SNMP module when the MAC address in the configured static ARP entry and user's actual MAC address are inconsistent. The notification includes the IP address, VPN instance, and MAC address in the ARP entry.

· An invalid ARP packet contains an invalid hardware address type, protocol address type, hardware address length, protocol address length, operation code, or VLAN. For example, when the operation code value is not 1 (ARP request) or 2 (ARP reply), the operation code is invalid and the ARP packet is invalid. If you enable invalid ARP packet check notifications, the device sends a notification to the SNMP module when it receives an invalid ARP packet. The notification includes the name of the interface that receives the ARP packet, sender MAC and IP addresses, user VLAN ID, and VLAN ID of the service provider.

· If you enable user IP address conflict notifications, the device sends a notification to the SNMP module when a user IP address conflict occurs. The notification includes the sender IP and MAC addresses in the conflicting ARP packet, and MAC address in the corresponding local ARP entry. For more information about enabling recording user IP address conflicts, see ARP configuration in Layer 3—IP Services Configuration Guide.

· If you enable user port migration notifications, the device sends a notification to the SNMP module when a user port changes. The notification includes the IP address, MAC address, port before migration, and port after migration of the user. For more information about enabling recording user port migrations, see ARP configuration in Layer 3—IP Services Configuration Guide.

If you do not specify any keywords, this command enables all SNMP notifications for ARP.

For ARP event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

Examples

# Enable ARP active acknowledgement notifications.

<Sysname> system-view

[Sysname] snmp-agent trap enable arp active-ack

Source MAC-based ARP attack detection commands

arp source-mac

Use arp source-mac to enable the source MAC-based ARP attack detection feature and specify an attack handling method.

Use undo arp source-mac to disable the source MAC-based ARP attack detection feature.

Syntax

arp source-mac { filter | monitor }

undo arp source-mac [ filter | monitor ]

Default

The source MAC-based ARP attack detection feature is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

filter: Specifies the filter attack handling method.

monitor: Specifies the monitor attack handling method.

Usage guidelines

Application scenarios

Processing a large number of ARP packets with the same MAC address causes a busy CPU and affects normal service processing. To avoid such an issue, you can enable the source MAC-based ARP attack detection feature on the device.

Operating mechanism

This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device generates an ARP attack entry for the MAC address. Before the entry ages out, the device handles the attack by using either of the following methods:

· Filter—Generates log messages and filters out subsequent ARP packets from the MAC address.

· Monitor—Only generates log messages.

Make sure you have enabled the ARP logging feature before enabling the source MAC-based ARP attack detection feature. For information about the ARP logging feature, see ARP in Layer 3—IP Services Configuration Guide.

Source MAC-based ARP attack detection checks the number of ARP packets delivered to the CPU in one of the following modes:

· Layer 3 interface-based mode—Checks the number of ARP packets on a per-interface basis. If the number of ARP packets received from the same MAC address within 5 seconds on a Layer 3 interface (excluding the VLAN interface) exceeds the threshold, the device determines that an attack has occurred.

· VLAN interface-based mode—Checks the number of ARP packets on a per-slot basis. If the number of ARP packets received from the same MAC address within 5 seconds on the slot to which the VLAN interface belongs exceeds the threshold, the device determines that an attack has occurred. It records the first physical interface that receives such an ARP packet in the ARP attack entry.

Recommended configuration

Configure this feature on the gateways.

Restrictions and guidelines

If you change the attack handling method from monitor to filter, the configuration takes effect immediately.

If you change the attack handling method from filter to monitor, the device works as follows:

· Uses the filter attack handling method to process the ARP packets that match the existing ARP attack entries before the entries age out.

· Uses the monitor attack handling method to process the ARP packets that match the newly-generated ARP attack entries.

If you do not specify any handling method in the undo arp source-mac command, the command disables this feature.

Examples

# Enable the source MAC-based ARP attack detection feature and specify the filter attack handling method.

<Sysname> system-view

[Sysname] arp source-mac filter

arp source-mac aging-time

Use arp source-mac aging-time to set the aging time for ARP attack entries.

Use undo arp source-mac aging-time to restore the default.

Syntax

arp source-mac aging-time time

undo arp source-mac aging-time

Default

The aging time for ARP attack entries is 300 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time: Sets the aging time for ARP attack entries, in the range of 60 to 6000 seconds.

Examples

# Set the aging time for ARP attack entries to 60 seconds.

<Sysname> system-view

[Sysname] arp source-mac aging-time 60

arp source-mac exclude-mac

Use arp source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection.

Use undo arp source-mac exclude-mac to remove the excluded MAC addresses from source MAC-based ARP attack detection.

Syntax

arp source-mac exclude-mac mac-address&<1-10>

undo arp source-mac exclude-mac [ mac-address&<1-10> ]

Default

No MAC addresses are excluded from source MAC-based ARP attack detection.

Views

System view

Predefined user roles

network-admin

Parameters

mac-address&<1-10>: Specifies a MAC address list. The mac-address argument indicates an excluded MAC address in the format of H-H-H. &<1-10> indicates that you can configure a maximum of 10 excluded MAC addresses.

Usage guidelines

If you do not specify a MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses.

Examples

# Exclude a MAC address from source MAC-based ARP attack detection.

<Sysname> system-view

[Sysname] arp source-mac exclude-mac 001e-1200-0213

arp source-mac threshold

Use arp source-mac threshold to set the threshold for source MAC-based ARP attack detection. If the number of ARP packets sent from a MAC address within 5 seconds exceeds this threshold, the device recognizes this as an attack.

Use undo arp source-mac threshold to restore the default.

Syntax

arp source-mac threshold threshold-value

undo arp source-mac threshold

Default

The threshold for source MAC-based ARP attack detection is 30.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range is 1 to 5000.

Examples

# Set the threshold for source MAC-based ARP attack detection to 30.

<Sysname> system-view

[Sysname] arp source-mac threshold 30

display arp source-mac

Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP attack detection.

Syntax

display arp source-mac { interface interface-type interface-number [ slot slot-number ] | slot slot-number }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you specify a virtual interface, you can also specify a location on the device to display entries for the member physical interfaces that the virtual interface has at that location.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ARP attack entries for the active MPU.

Examples

# Display the ARP attack entries detected by source MAC-based ARP attack detection on Ten-GigabitEthernet 0/0/6.

<Sysname> display arp source-mac interface ten-gigabitethernet 0/0/6

Source-MAC VLAN ID Interface Aging-time

23f3-1122-3344 4094 XGE1/0/1 10

Table 2 Command output

Field	Description
Source-MAC	Source MAC address of the attack.
VLAN ID	ID of the VLAN in which the attack was detected.
Interface	Interface on which the attack was detected.
Aging-time	Aging time for the ARP attack entry, in seconds.

display arp source-mac statistics

Use display arp source-mac statistics to display statistics for packets dropped by source MAC-based ARP attack detection.

Syntax

display arp source-mac statistics slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number.

Examples

# Display statistics for packets dropped by source MAC-based ARP attack detection.

<Sysname> display arp source-mac statistics

Dropped ARP packets:23321

Table 3 Command output

Field	Description
Dropped ARP packets	Number of packets dropped by source MAC-based ARP attack detection.

‌

Related commands

arp source-mac

reset arp source-mac statistics

Use reset arp source-mac statistics to clear statistics of packets dropped by source MAC-based ARP attack detection.

Syntax

reset arp source-mac statistics { all | [ slot slot-number ] }

Views

User view

Predefined user roles

network-admin

Parameters

all: Clear all statistics of packets.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics of packets on the active MPU.

Usage guidelines

If you do not specify any parameter, the command clears all statistics of packets dropped by source MAC-based ARP attack detection.

Examples

# Clear all statistics of packets dropped by source MAC-based ARP attack detection.

<Sysname> reset arp source-mac statistics

Related commands

display arp source-mac statistics

ARP packet source MAC consistency check commands

arp valid-check enable

Use arp valid-check enable to enable ARP packet source MAC address consistency check.

Use undo arp valid-check enable to disable ARP packet source MAC address consistency check.

Syntax

arp valid-check enable

undo arp valid-check enable

Default

ARP packet source MAC address consistency check is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Configure this feature on gateways. The gateways can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.

Examples

# Enable ARP packet source MAC address consistency check.

<Sysname> system-view

[Sysname] arp valid-check enable

display arp valid-check statistics

Use display arp valid-check statistics to display statistics for packets dropped by ARP packet source MAC address consistency check.

Syntax

display arp valid-check statistics slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number.

Examples

# Display statistics for packets dropped by ARP packet source MAC address consistency check.

<Sysname> display arp valid-check statistics

Dropped ARP packets: 23321

Table 4 Command output

Field	Description
Dropped ARP packets	Number of packets dropped by ARP packet source MAC address consistency check.

‌

Related commands

arp valid-check enable

reset arp valid-check statistics

Use reset arp valid-check statistics to clear statistics for packets dropped by ARP packet source MAC address consistency check.

Syntax

reset arp valid-check statistics { all | slot slot-number }

Views

User view

Predefined user roles

network-admin

Parameters

all: Specifies all statistics for packets dropped by ARP packet source MAC address consistency check.

slot slot-number: Specifies a card by its slot number.

Examples

# Clear statistics for packets dropped by ARP packet source MAC address consistency check.

<Sysname> reset arp valid-check statistics

Related commands

display arp valid-check statistics

ARP active acknowledgement commands

arp active-ack enable

Use arp active-ack enable to enable the ARP active acknowledgement feature.

Use undo arp active-ack enable to disable the ARP active acknowledgement feature.

Syntax

arp active-ack [ strict ] enable

undo arp active-ack [ strict ] enable

Default

The ARP active acknowledgement feature is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

strict: Enables strict mode for ARP active acknowledgement.

Usage guidelines

Configure this feature on gateways to prevent user spoofing.

Examples

# Enable the ARP active acknowledgement feature.

<Sysname> system-view

[Sysname] arp active-ack enable

Authorized ARP commands

arp authorized enable

Use arp authorized enable to enable authorized ARP on an interface.

Use undo arp authorized enable to disable authorized ARP on an interface.

Syntax

arp authorized enable

undo arp authorized enable

Default

Authorized ARP is disabled on the interface.

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VSI interface view

VLAN interface view

Predefined user roles

network-admin

Examples

# Enable authorized ARP on Ten-GigabitEthernet 0/0/6.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/6

[Sysname-Ten-GigabitEthernet0/0/6] arp authorized enable

ARP attack detection commands

arp detection enable

Use arp detection enable to enable ARP attack detection.

Use undo arp detection enable to disable ARP attack detection.

Syntax

arp detection enable

undo arp detection enable

Default

ARP attack detection is disabled.

Views

Layer 2 Ethernet interface view

VLAN view

VSI view

Predefined user roles

network-admin

Usage guidelines

A Layer 2 Ethernet interface is enabled with ARP attack detection after you enable ARP attack detection on the interface or in the VLAN to which the interface belongs.

A Layer 2 Ethernet interface is disabled with ARP attack detection only after you disable ARP attack detection both on the interface and in the VLAN to which the interface belongs.

If a Layer 2 Ethernet interface is both enabled with ARP attack detection and configured as an ARP trusted port, the system does not perform ARP attack detection on packets received on the interface.

Examples

# Enable ARP attack detection on Layer 2 Ethernet interface Ten-GigabitEthernet 0/0/6.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/6

[Sysname-Ten-GigabitEthernet0/0/6] arp detection enable

# Enable ARP attack detection for VLAN 2.

<Sysname> system-view

[Sysname] vlan 2

[Sysname-vlan2] arp detection enable

# Enable ARP attack detection for VSI vsi1.

<Sysname> system-view

[Sysname] vsi vsi1

[Sysname-vsi-vsi1] arp detection enable

Related commands

arp detection rule

display arp detection

arp detection log enable

Use arp detection log enable to enable ARP attack detection logging.

Use undo arp detection log enable to disable ARP attack detection logging.

Syntax

arp detection log enable [ interval interval | number number | threshold threshold-value ] *

undo arp detection log enable

Default

ARP attack detection logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

interval interval: Specifies the interval for sending ARP attack detection logs to the information center, in seconds. The value for this argument can be 0 or a value in the range of 10 to 3600. The default value is 60. If you set the interval to 0 seconds, the device sends ARP detection logs to the information center immediately.

number number: Specifies the maximum number of ARP attack detection logs for each log output. The value range for the number argument is 1 to 128, and the default value is 128.

threshold threshold-value: Specifies the per-destination address threshold for ARP attack detection logging. When the number of ARP packets destined for a destination address reaches or exceeds the threshold, the device generates an ARP attack detection log. The value range for the threshold-value argument is 1 to 128, and the default is 1.

Usage guidelines

This feature enables the device to generate ARP detection logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see System Management Configuration Guide.

As a best practice, disable this feature if the log generation affects the device performance.

Excessive number of logs not only affects the device performance, but also makes it difficult for you to locate logs for specific events. To resolve the issue, you can adjust the maximum number of ARP attack detection logs for each log output. The logs that exceed the number limit will not be output and displayed. In addition, you can also adjust the per-destination address threshold for logging. The device generates a log only when the number of packets destined for a destination address reaches or exceeds the threshold.

A card, member device, or device can send a maximum of 128 ARP detection logs each time.

Examples

# Enable ARP attack detection logging.

<Sysname> system-view

[Sysname] arp detection log enable

arp detection port-match-ignore

Use arp detection port-match-ignore to ignore ingress ports of ARP packets during user validity check.

Use undo arp detection port-match-ignore to remove the configuration.

Syntax

arp detection port-match-ignore

undo arp detection port-match-ignore

Default

Ingress ports of ARP packets are checked for user invalidity.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command configures ARP attack detection to ignore the ingress port information of ARP packets when the packets are compared with the entries used for user validity check.

Examples

# Ignore ingress ports of ARP packets during user validity check.

<Sysname> system-view

[Sysname] arp detection port-match-ignore

Related commands

arp detection enable

arp detection rule

Use arp detection rule to configure a user validity check rule.

Use undo arp detection rule to delete a user validity check rule.

Syntax

arp detection rule rule-id { deny | permit } ip { ip-address [ mask ] | any } mac { mac-address [ mask ] | any } [ vlan vlan-id | vsi vsi-name ]

undo arp detection rule [ rule-id ]

Default

No user validity check rule is configured.

Views

System view

Predefined user roles

network-admin

Parameters

rule-id: Assigns an ID to the user validity check rule. The ID value range is 0 to 511. A smaller value represents a higher priority.

deny: Denies matching ARP packets.

permit: Permits matching ARP packets.

ip { ip-address [ mask ] | any }: Specifies the sender IP address as the match criterion.

· ip-address: Specifies an IP address in dotted decimal notation.

· mask: Specifies the address mask in dotted decimal notation. If you do not specify the mask, the ip-address argument specifies a host IP address.

· any: Matches any IP address.

mac { mac-address [ mask ] | any }: Specifies the sender MAC address as the match criterion.

· mac-address: Specifies a MAC address in the H-H-H format.

· mask: Specifies the MAC address mask in the H-H-H format. If you do not specify the mask, the argument specifies the host MAC address.

· any: Matches any MAC address.

vlan vlan-id: Specifies the ID of a VLAN in the specified rule. The value range for the vlan-id argument is 1 to 4094. If you do not specify a VLAN, the packets' VLAN information is not checked.

vsi vsi-name: Specifies the name of a VSI in the specified rule, a case-sensitive string of 1 to 31 characters. If you do not specify a VSI, the packets' VSI information is not checked.

Usage guidelines

A user validity check rule takes effect only when ARP attack detection is enabled.

If you do not specify a rule ID, the undo arp detection rule command deletes all user validity check rules.

For the VSI information in the user validity check rule to take effect, enable L2VPN by using the l2vpn enable command.

Examples

# Configure a user validity check rule and enable ARP detection for VLAN 2.

<Sysname> system-view

[Sysname] arp detection rule 0 permit ip 10.1.1.1 255.255.0.0 mac 0001-0203-0405 ffff-ffff-0000

[Sysname] vlan 2

[Sysname-vlan2] arp detection enable

# Configure a user validity check rule and enable ARP detection for VSI vpna.

<Sysname> system-view

[Sysname] arp detection rule 1 permit ip 10.1.1.2 255.255.0.0 mac 0001-0203-0406 ffff-ffff-0000 vsi vpna

[Sysname] vsi vpna

[Sysname-vsi-vpna] arp detection enable

Related commands

arp detection enable

arp detection trust

Use arp detection trust to configure an interface as an ARP trusted interface or configure an AC as an ARP trusted AC.

Use undo arp detection trust to restore the default.

Syntax

arp detection trust

undo arp detection trust

Default

An interface is an ARP untrusted interface. An AC is an ARP untrusted AC.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Examples

# Configure Ten-GigabitEthernet 0/0/6 as an ARP trusted interface.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/6

[Sysname-Ten-GigabitEthernet0/0/6] arp detection trust

arp detection validate

Use arp detection validate to enable ARP packet validity check.

Use undo arp detection validate to disable ARP packet validity check.

Syntax

arp detection validate { dst-mac | ip | src-mac } *

undo arp detection validate [ dst-mac | ip | src-mac ] *

Default

ARP packet validity check is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.

ip: Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP requests. All-one or multicast IP addresses are considered invalid and the corresponding packets are discarded.

src-mac: Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded.

Usage guidelines

You can specify more than one object to be checked in one command line.

If no keyword is specified, the undo arp detection validate command disables ARP packet validity check for all objects.

Examples

# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.

<Sysname> system-view

[Sysname] arp detection validate dst-mac ip src-mac

arp restricted-forwarding enable

Use arp restricted-forwarding enable to enable ARP restricted forwarding.

Use undo arp restricted-forwarding enable to disable ARP restricted forwarding.

Syntax

arp restricted-forwarding enable

undo arp restricted-forwarding enable

Default

ARP restricted forwarding is disabled.

Views

VLAN view

Predefined user roles

network-admin

Examples

# Enable ARP restricted forwarding in VLAN 2.

<Sysname> system-view

[Sysname] vlan 2

[Sysname-vlan2] arp restricted-forwarding enable

display arp detection

Use display arp detection to display the VLANs and VSIs that are enabled with ARP attack detection.

Syntax

display arp detection

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the VLANs and VSIs that are enabled with ARP attack detection.

<Sysname> display arp detection

ARP detection is enabled in the following VLANs:

1-2, 4-5

ARP detection is enabled in the following VSIs:

vpna

vsi-0000-0000-0031

vpnb

vpnc-vsi-0000-0000-00aa

Related commands

arp detection enable

display arp detection statistics attack-source

Use display arp detection statistics attack-source to display statistics for ARP attack sources.

Syntax

display arp detection statistics attack-source slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number.

Usage guidelines

This command displays a maximum of 1023 statistic entries for ARP attack sources and 1 identification entry.

When the maximum number is reached for the first time, the device overwrites the oldest statistics entry with the newest statistic entry and generates an identification entry. The parameters in the identification entry are as follows:

· The Interface, VLAN, MAC address, and IP address fields are empty.

· The Number field displays the value of the Number filed in the old entry that has been overwritten.

· The Time field displays the time when the new entry was generated.

Subsequently, each time a new statistic entry is generated, the device updates the identification entry as follows:

· Adds the Number field value of the new entry to the current value of the Number field.

· Replaces the Time field value with the time when this identification entry was updated.

Examples

# Display statistics for ARP attack sources on slot 1.

<Sysname> display arp detection statistics attack-source slot 1

Interface VLAN MAC address IP address Number Time

XGE0/0/6 1 0005-0001-0001 10.1.1.14 24 17:09:56

03-27-2017

Table 5 Command output

Field	Description
Interface	Receiving interface of ARP attack packets.
VLAN	VLAN to which ARP attack packets belong.
MAC address	Sender MAC address in ARP attack packets.
IP address	Sender IP address in ARP attack packets.
Number	Number of ARP attack packets dropped by ARP attack detection.
Time	The most recent time when ARP attack detection dropped an ARP attack packet.

Related commands

arp detection enable

display arp detection statistics packet-drop

Use display arp detection statistics packet-drop to display statistics for packets dropped by ARP attack detection.

Syntax

display arp detection statistics packet-drop [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays dropped packet statistics for all interfaces.

Usage guidelines

This command displays numbers of packets discarded by user validity check and ARP packet validity check on interfaces.

Examples

# Display statistics for packets dropped by ARP attack detection.

<Sysname> display arp detection statistics packet-drop

State: U-Untrusted T-Trusted

ARP packets dropped by ARP inspect checking:

Interface(State) IP Src-MAC Dst-MAC Inspect

XGE1/0/1(U) 40 0 0 78

XGE1/0/2(U) 0 0 0 0

XGE1/0/3(T) 0 0 0 0

XGE1/0/4(U) 0 0 30 0

Table 6 Command output

Field	Description
State	State of an interface: · U—ARP untrusted interface. · T—ARP trusted interface.
Interface(State)	Inbound interface of ARP packets. State specifies the port state, trusted or untrusted.
IP	Number of ARP packets discarded due to invalid sender and target IP addresses.
Src-MAC	Number of ARP packets discarded due to invalid source MAC address.
Dst-MAC	Number of ARP packets discarded due to invalid destination MAC address.
Inspect	Number of ARP packets that failed to pass user validity check.

Related commands

reset arp detection statistics packet-drop

reset arp detection statistics attack-source

Use reset arp detection statistics attack-source to clear statistics for ARP attack sources.

Syntax

reset arp detection statistics attack-source [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears ARP attack source statistics for all cards.

Examples

# Clear statistics for ARP attack sources.

<Sysname> reset arp detection statistics attack-source

Related commands

arp detection enable

display arp detection statistics attack-source

reset arp detection statistics packet-drop

Use reset arp detection statistics packet-drop to clear statistics for packets dropped by ARP attack detection.

Syntax

reset arp detection statistics packet-drop [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears dropped packet statistics for all interfaces.

Examples

# Clear statistics for packets dropped by ARP attack detection.

<Sysname> reset arp detection statistics packet-drop

Related commands

display arp detection statistics packet-drop

ARP scanning and fixed ARP commands

arp fixup

Use arp fixup to convert existing dynamic ARP entries to static ARP entries.

Use undo arp fixup to convert valid static ARP entries to dynamic ARP entries and delete invalid static ARP entries.

Syntax

arp fixup

undo arp fixup

Views

System view

Predefined user roles

network-admin

Usage guidelines

The ARP conversion is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.

The static ARP entries converted from dynamic ARP entries have the same attributes as the manually configured static ARP entries. Due to the device's limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.

The static ARP entries after conversion can include the following entries:

· Existing dynamic and static ARP entries before conversion.

· New dynamic ARP entries learned during the conversion.

Dynamic ARP entries that are aged out during the conversion are not converted to static ARP entries.

To delete a static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command.

Examples

# Convert existing dynamic ARP entries to static ARP entries.

<Sysname> system-view

[Sysname] arp fixup

This command will convert existing dynamic ARP entries to static ARP entries. Continue? [Y/N]:Y

Fixup ARP. Please wait...

Fixup is complete.

arp scan

Use arp scan to trigger an ARP scanning in an address range.

Syntax

arp scan [ start-ip-address to end-ip-address ]

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VSI interface view

VLAN interface view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IP address of the scanning range.

end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.

Usage guidelines

CAUTION:

ARP scanning will take some time and occupy a lot of system and network resources. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.

ARP scanning automatically creates ARP entries for devices in the specified address range. IP addresses already in existing ARP entries are not scanned.

If the interface's primary and secondary IP addresses are in the address range, the sender IP address in the ARP request is the address on the smallest network segment.

If no address range is specified, the device learns ARP entries for devices on the subnet where the primary IP address of the interface resides. The sender IP address in the ARP requests is the primary IP address of the interface.

The start and end IP addresses must be on the same subnet as the primary IP address or secondary IP addresses of the interface.

Examples

# Configure the device to scan neighbors on the network where the primary IP address of Ten-GigabitEthernet 0/0/6 resides.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/6

[Sysname-Ten-GigabitEthernet0/0/6] arp scan

# Configure the device to scan neighbors in an address range.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/6

[Sysname-Ten-GigabitEthernet0/0/6] arp scan 1.1.1.1 to 1.1.1.20

arp scan auto enable

Use arp scan auto enable to enable automatic ARP scanning in a specified address range on an interface.

Use undo arp scan auto enable to disable automatic ARP scanning or cancel specified ARP scanning range settings for subnets on an interface.

Syntax

arp scan auto enable [ start-ip-address to end-ip-address [ source-addr source-ip-address ] ]

undo arp scan auto enable [ start-ip-address to end-ip-address ]

Default

Automatic ARP scanning is disabled on an interface.

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VSI interface view

VLAN interface view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IP address of the scanning range.

to end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address. The maximum number of IP addresses in the IP range is 65535.

source-addr source-ip-address: Specifies the source address for the ARP requests. The source-ip-address argument can be any valid IP address. If you do not specify this option, the interface uses its IP address as the source address of the ARP requests.

Usage guidelines

Application scenarios

Automatic ARP scanning enables an interface to update its ARP entries in time. It automatically sends ARP requests to the IP addresses in the specified address range to create ARP entries for them. IP addresses that already have ARP entries are not scanned any more.

Operating mechanism

If you know the IP address range assigned to the neighbors on the LAN, you can specify the assigned IP address range as the ARP scanning range to shorten the scanning waiting time. You can use this command to specify a maximum of 16 scanning ranges for different subnets. The subnet addresses for each scanning range cannot overlap with each other.

If you specify the ARP scanning range without specifying the source address for ARP requests, the interface scans the IP address intersection of the scanning range and the subnet of the interface. If the interface is configured with IP addresses on different subnets that intersect with the scanning range, the device uses the target IP address in each ARP request to match the subnets. The source IP address is the IP address with the longest subnet mask on the matching subnet. If the subnet masks are of the same length, the source address is the primary IP address for the interface. If all IP addresses in the scanning range are on the same subnet of the interface, the source address is that subnet IP address.

If you specify the ARP scanning range and source address for the sending ARP requests, the interface scans all IP addresses in the scanning range without considering the subnet addresses of the interface.

If the ARP scanning range is not specified, the interface scans neighbors on the subnets where the primary IP address and secondary IP addresses of the interface reside. The source IP addresses for the ARP requests are the primary IP address and secondary IP addresses for the interface.

You can set the ARP request sending rate by using the arp scan auto send-rate command.

Restrictions and guidelines

If you trigger ARP scanning and enable automatic ARP scanning on an interface, both of them take effect. As a best practice, enable automatic ARP scanning only on networks where user come online and go offline frequently.

Examples

# Configure the device to automatically scan the neighbors on the network where the primary IP address of Ten-GigabitEthernet 0/0/6 resides.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/6

[Sysname-Ten-GigabitEthernet0/0/6] arp scan auto enable

Related commands

arp scan auto send-rate

Use arp scan auto send-rate to set the ARP packet sending rate for automatic ARP scanning.

Use undo arp scan auto send-rate to restore the default.

Syntax

arp scan auto send-rate { ppm ppm | pps }

undo arp scan auto send-rate

Default

The device sends ARP packets at the rate of 48 pps during automatic ARP scanning.

Views

System view

Predefined user roles

network-admin

Parameters

ppm ppm: Specifies the ARP packet sending rate, in packets per minute (ppm). The value range for the ppm argument is 10 to 600, and the value must be a multiple of 10.

pps: Specifies the ARP packet sending rate, in packets per second (pps). The value range for the pps argument is 10 to 1000, and the value must be a multiple of 10.

Usage guidelines

You can set the ARP packet sending rate if the scanning range has a large number of IP addresses. This setting can avoid high CPU usage and heavy network load caused by a burst of ARP traffic.

When you set the sending rate to a large value, the device might use a rate lower than the specified rate to ensure the device performance.

Examples

# Set the ARP packet sending rate to 10 pps during automatic ARP scanning.

<Sysname> system-view

[Sysname] arp scan auto send-rate 10

Related commands

arp scan auto enable

ARP keepalive entry scanning commands

arp scan keepalive aging-time

Use arp scan keepalive aging-time to set the aging time for ARP keepalive entries.

Use undo arp scan keepalive aging-time to restore the default.

Syntax

arp scan keepalive aging-time time

undo arp scan keepalive aging-time

Default

In system view, the aging time for ARP keepalive entries is 60 minutes.

In interface view, the aging time for ARP keepalive entries is the aging time set in system view.

Views

System view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VSI interface view

VLAN interface view

Predefined user roles

network-admin

Parameters

time: Specifies the aging time for ARP keepalive entries in minutes. The value range for this argument is 1 to 1440.

Usage guidelines

Application scenarios

With ARP keepalive entry scanning enabled, the device generates a keepalive entry in online state for a user that comes online. If the user goes offline, the device will perform the following tasks:

· Set the state of the keepalive entry for that user to offline state.

· Delete the keepalive entry if its state does not restore to online after the aging time elapses.

To set the aging time for ARP keepalive entries, use this command.

Operating mechanism

You can set the aging time for ARP keepalive entries in both system view and interface view. The aging time set in interface view takes precedence over the aging time set in system view. In interface view, the default aging time for ARP keepalive entries is the aging time set in system view.

Restrictions and guidelines

A short aging time causes the keepalive entries to have not enough time to restore online state. A long aging time leads to entry redundancy.

Examples

# Set the aging time for ARP keepalive entries to 10 minutes.

<Sysname> system-view

[Sysname] arp scan keepalive aging-time 10

# Set the aging time for ARP keepalive entries to 100 minutes on Ten-GigabitEthernet 0/0/6.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/6

[Sysname-Ten-GigabitEthernet0/0/6] arp scan keepalive aging-time 100

Related commands

arp scan keepalive enable

Use arp scan keepalive enable to enable ARP keepalive entry scanning.

Use undo arp scan keepalive enable to disable ARP keepalive entry scanning.

Syntax

arp scan keepalive enable

undo arp scan keepalive enable

Default

ARP keepalive entry scanning is disabled on an interface.

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VSI interface view

VLAN interface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

In a large-scale network, it takes a long time for ARP scanning to identify the hosts that go offline abnormally if you specify a large scanning range. After you enable ARP keepalive entry scanning, the system can quickly locate those hosts and monitor the host status within the aging time.

Operating mechanism

When users come online, the system generates dynamic APR entries and IPSG binding entries. Enabled with ARP keepalive entry scanning, the system also creates online keepalive entries when users come online. If users go offline, the corresponding APR entries are deleted and the status of the keepalive entries is set to offline. The device sends ARP requests at intervals to the IP addresses in the offline keepalive entries until the keepalive entries become online again.

The interval varies with the number of ARP requests that have been sent to the IP address in an offline keepalive entry:

· If the number is not greater than 50, the device sends an ARP request every 30 seconds.

· If the number is greater than 50 but not greater than 100, the device sends an ARP request every 45 seconds.

· If the number is greater than 100, the device sends an ARP request every 60 seconds.

To view the keepalive entries, use the display arp scan keepalive entry command.

For more information about IP source guard configuration, see Security Configuration Guide.

Restrictions and guidelines

To set the aging time for ARP keepalive entries, use the arp scan keepalive aging-time command. The offline keepalive entries are deleted when the aging time expires.

Examples

# Enable ARP keepalive entry scanning on Ten-GigabitEthernet 0/0/6.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/6

[Sysname-Ten-GigabitEthernet0/0/6] arp scan keepalive enable

Related commands

arp scan keepalive aging-time

arp scan keepalive send-rate

display arp scan keepalive entry

arp scan keepalive send-rate

Use arp scan keepalive send-rate to set the ARP request sending rate for keepalive entry scanning.

Use undo arp scan keepalive send-rate to restore the default.

Syntax

arp scan keepalive send-rate pps

undo arp scan keepalive send-rate

Default

The device sends ARP requests at a rate of 48 pps during keepalive entry scanning.

Views

System view

Predefined user roles

network-admin

Parameters

pps: Specifies the ARP packet sending rate, in packets per second (pps). The value range for this argument is 10 to 1000, and the value must be a multiple of 10.

Usage guidelines

Application scenarios

Enabled with keepalive entry scanning, the interface sends ARP requests to the IP addresses in the offline keepalive entries. To avoid any impact on the device performance, use this command to set the ARP packet sending rate for keepalive entry scanning.

Operating mechanism

If the status of a keepalive entry is set to offline and does not become online within an interval, the keepalive entry is to be scanned. The interface sends an ARP request per second to the IP address in each keepalive entry to be scanned.

The ARP packet sending rate is the maximum number of scanned keepalive entries per second.

· If the number of keepalive entries to be scanned per second is lower than the sending rate, the device scans all these keepalive entries within a second.

· If the number of keepalive entries to be scanned per second is greater than the sending rate, the device scans the keepalive entries at the sending rate.

Restrictions and guidelines

When you set the sending rate to a large value, the device might use a rate lower than the specified rate to ensure the device performance.

Examples

# Set the ARP packet sending rate to 10 pps during keepalive entry scanning.

<Sysname> system-view

[Sysname] arp scan keepalive send-rate 10

Related commands

arp scan keepalive enable

display arp scan keepalive entry

Use display arp scan keepalive entry to display ARP keepalive entries.

Syntax

display arp scan keepalive entry [ interface interface-type interface-number ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays ARP keepalive entries for all interfaces.

count: Displays the total number of ARP keepalive entries.

Examples

# Display ARP keepalive entries.

<Sysname> display arp scan keepalive entry

Interface: XGE0/0/6

IPv4 address: 192.168.56.1 MAC address: 08-00-27-00-50-38

VLANID: 1 SECVLANID: 1

Port interface: -- VPN instance: --

Scan status: 1 Probe count: 10

Scan time: 08:01:01

Table 7 Command output

Field	Description
Interface	Name of an interface.
IPv4 address	IPv4 address in the ARP keepalive entry.
MAC address	MAC address in the ARP keepalive entry.
VLANID	ID of the primary VLAN.
SECVLANID	ID of the secondary VLAN.
Port interface	Layer 2 input interface for ARP packets.
VPN instance	Name of the VPN instance.
Scan status	Status of the ARP keepalive entry: · 0—Offline. · 1—Online.
Probe count	Number of scans on the ARP keepalive entry.
Scan time	Time when the ARP keepalive entry became offline.

‌

display arp scan keepalive statistics

Use display arp scan keepalive statistics to display statistics about ARP keepalive entry scanning.

Syntax

display arp scan keepalive statistics [ slot slot-number [ cpu cpu-number ] ] [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays statistics about ARP keepalive entry scanning for all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics about ARP keepalive entry scanning on all cards.

Usage guidelines

Interfaces enabled with ARP keepalive entry scanning send ARP requests to the IP addresses in offline ARP keepalive entries until the entries restore online state. This command displays the number of the ARP requests sent to the IP addresses in the offline keepalive entries in the last five seconds, one minute, and five minutes.

A great many ARP requests indicate that the number of offline keepalive entries is great or some offline entries remain in offline state for a long time. The reasons and solutions are as follows:

1. Use the display arp scan keepalive entry command to identify the number of offline keepalive entries.

2. If the number of offline keepalive entries is large, check the aging time set for offline keepalive entries. Shorten the aging time if it is too long.

3. If the aging time is proper, the problem might be caused by too many abnormal user offline events. In this case, check the network configuration and condition.

4. If the number of offline keepalive entries is not large, the problem might be because some offline keepalive entries cannot restore online state through ARP requests. In this case, troubleshoot according to the offline entries.

Examples

# Display statistics about ARP requests sent to the IP addresses in offline keepalive entries on slot 1.

<Sysname> display arp scan keepalive statistics slot 1

Scanning statistics for slot 1:

Total ARP requests: 1000 packets

Start time for statistics: 12:20:30

Interface 5 secs 1 min 5 mins

Ten-GigabitEthernet0/0/6 123 200 230

Ten-GigabitEthernet0/0/7 0 0 0

Ten-GigabitEthernet0/0/8 0 0 0

Ten-GigabitEthernet0/0/9 0 0 0

Ten-GigabitEthernet0/0/10 0 0 0

Ten-GigabitEthernet0/0/11 0 0 0

Table 8 Command output

Field	Description
Total ARP requests	Total number of ARP requests sent to the IP addresses in offline keepalive entries.
Start time for statistics	Time when the device started counting the number of ARP requests sent to the IP addresses in offline keepalive entries.
Interface	Name of an interface that sends ARP requests to the IP addresses in offline keepalive entries.
5 secs	Number of the ARP requests sent in the last five seconds.
1 min	Number of the ARP requests sent in the last one minute.
5 mins	Number of the ARP requests sent in the last five minutes.

Related commands

reset arp scan keepalive statistics

Use reset arp scan keepalive statistics to clear statistics about ARP keepalive entry scanning.

Syntax

reset arp scan keepalive statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics about ARP keepalive entry scanning on all cards.

Usage guidelines

This command clears statistics about the ARP requests sent to the IP addresses in offline keepalive entries.

The ARP request count and the statistics start time displayed by the display arp scan keepalive statistics command are the data collected since the most recent execution of the reset arp scan keepalive statistics command.

Examples

# Clear statistics about ARP requests sent to the IP addresses in offline keepalive entries on slot 1.

<Sysname> reset arp scan keepalive statistics slot 1

Related commands

display arp scan keepalive statistics

ARP gateway protection commands

arp filter source

Use arp filter source to enable ARP gateway protection for a gateway.

Use undo arp filter source to disable ARP gateway protection for a gateway.

Syntax

arp filter source ip-address

undo arp filter source ip-address

Default

ARP gateway protection is disabled.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IP address of a protected gateway.

Usage guidelines

You can enable ARP gateway protection for a maximum of eight gateways on an interface.

You cannot configure both the arp filter source and arp filter binding commands on the same interface.

Examples

# Enable ARP gateway protection for the gateway with IP address 1.1.1.1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/6

[Sysname-Ten-GigabitEthernet0/0/6] arp filter source 1.1.1.1

ARP filtering commands

arp filter binding

Use arp filter binding to enable ARP filtering and configure an ARP permitted entry.

Use undo arp filter binding to remove an ARP permitted entry.

Syntax

arp filter binding ip-address mac-address

undo arp filter binding ip-address

Default

ARP filtering is disabled.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies a permitted sender IP address.

mac-address: Specifies a permitted sender MAC address.

Usage guidelines

If the sender IP and MAC addresses of an ARP packet match an ARP permitted entry, the ARP packet is permitted. If the sender IP and MAC addresses of an ARP packet do not match an ARP permitted entry, the ARP packet is discarded.

You can configure a maximum of eight ARP permitted entries on an interface.

You cannot configure both the arp filter source and arp filter binding commands on the same interface.

Examples

# Enable ARP filtering and configure an ARP permitted entry.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/6

[Sysname-Ten-GigabitEthernet0/0/6] arp filter binding 1.1.1.1 0e10-0213-1023

ARP packet sender IP address checking commands

arp sender-ip-range

Use arp sender-ip-range to specify the sender IP address range for ARP packet checking.

Use undo arp sender-ip-range to restore the default.

Syntax

arp sender-ip-range start-ip-address end-ip-address

undo arp sender-ip-range

Default

No sender IP address range is specified for ARP packet checking.

Views

VLAN view

Predefined user roles

network-admin

Parameters

start-ip-address: Specifies the start IP address.

end-ip-address: Specifies the end IP address. The end IP address must be higher than or equal to the start IP address.

Usage guidelines

The gateway discards an ARP packet if its sender IP address is not within the allowed IP address range.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the sender IP address range 1.1.1.1 to 1.1.1.20 for ARP packet checking in VLAN 2.

<Sysname> system-view

[Sysname] vlan 2

[Sysname–vlan2] arp sender-ip-range 1.1.1.1 1.1.1.20

18-Security Command Reference

display arp source-suppression

Application scenarios

Operating mechanism

Recommended configuration

Restrictions and guidelines

display arp detection statistics packet-drop

reset arp detection statistics packet-drop

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us