If the IP packets have different source addresses, you can enable the ARP black hole routing function. After receiving an unresolvable IP packet, the device creates a black hole route destined for the target IP address and drops all matching packets until the black hole route ages out.

Examples

# Enable ARP black hole routing.

<Sysname> system-view

[Sysname] arp resolving-route enable

arp source-suppression enable

Use arp source-suppression enable to enable the ARP source suppression function.

Use undo arp source-suppression enable to restore the default.

Syntax

arp source-suppression enable

undo arp source-suppression enable

Default

ARP source suppression function is disabled.

Views

System view

Predefined user role

network-admin

mdc-admin

Usage guidelines

Configure this feature on the gateway devices.

Examples

# Enable the ARP source suppression function.

<Sysname> system-view

[Sysname] arp source-suppression enable

Related commands

display arp source-suppression

arp source-suppression limit

Use arp source-suppression limit to set the maximum number of unresolvable packets that can be received from a device in 5 seconds.

Use undo arp source-suppression limit to restore the default.

Syntax

arp source-suppression limit limit-value

undo arp source-suppression limit

Default

The maximum number is 10.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

limit-value: Sets the maximum number of unresolvable packets that can be processed in 5 seconds. It is in the range of 2 to 1024.

Usage guidelines

If the number of unresolvable packets from a host within 5 seconds exceeds the specified threshold, the device stops processing packets from that host until the 5 seconds elapse.

Examples

# Set the maximum number of unresolvable packets that can be received from a device in 5 seconds to 100.

<Sysname> system-view

[Sysname] arp source-suppression limit 100

Related commands

display arp source-suppression.

display arp source-suppression

Use display arp source-suppression to display information about the current ARP source suppression configuration.

Syntax

display arp source-suppression

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Examples

# Display information about the current ARP source suppression configuration.

<Sysname> display arp source-suppression

ARP source suppression is enabled

Current suppression limit: 100

Table 1 Command output

Field	Description
Current suppression limit	Maximum number of unresolvable packets that can be received from a host in 5 seconds.

ARP packet rate limit commands

arp rate-limit

Use arp rate-limit pps to enable ARP packet rate limit on an interface and configure the rate limit. Exceeded packets are discarded.

Use undo arp rate-limit [ pps ] to disable ARP packet rate limit.

Syntax

arp rate-limit [ pps ]

undo arp rate-limit [ pps ]

Default

The ARP packet rate limit function is disabled.

Views

Layer 2 Ethernet interface view, Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Parameters

pps: Specifies the upper limit for ARP packet rate in pps. The value is in the range of 10 to 5000.

Usage guidelines

If you do not specify the pps argument in the arp rate-limit command, ARP packet rate limit is disabled.

Examples

# Specify the maximum ARP packet rate on GigabitEthernet 3/0/1 as 50 pps.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] arp rate-limit 50

Source MAC based ARP attack detection commands

arp source-mac

Use arp source-mac to enable the source MAC address based ARP attack detection and specify a handling method.

Use undo arp source-mac to restore the default.

Syntax

arp source-mac { filter | monitor }

undo arp source-mac [ filter | monitor ]

Default

The source MAC address based ARP attack detection function is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

filter: Generates log messages and discards subsequent ARP packets from the MAC address.

monitor: Only generates log message.

Usage guidelines

Configure this feature on the gateway devices.

This function enables the switch to check the source MAC address of ARP packets received from the same MAC address within 5 seconds against a specific threshold. If the threshold is exceeded, the switch takes the preconfigured method to handle the attack.

If neither the filter nor the monitor keyword is specified in the undo arp anti-attack source-mac command, both handling methods are disabled.

Examples

# Enable the source MAC based ARP attack detection and specify the filter handling method.

<Sysname> system-view

[Sysname] arp source-mac filter

arp source-mac aging-time

Use arp source-mac aging-time to configure the aging time for ARP attack entries.

Use undo arp anti-attack source-mac aging-time to restore the default.

Syntax

arp source-mac aging-time time

undo arp source-mac aging-time

Default

The aging time for ARP attack entries is set to 300 seconds (5 minutes).

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

time: Sets the aging time for ARP attack entries, in the range of 60 to 6000 seconds.

Examples

# Set the aging time for ARP attack entries to 60 seconds.

<Sysname> system-view

[Sysname] arp source-mac aging-time 60

arp source-mac exclude-mac

Use arp anti-attack source-mac exclude-mac to exclude specified MAC addresses from source MAC address based ARP attack detection.

Use undo arp anti-attack source-mac exclude-mac to remove the excluded MAC addresses.

Syntax

arp source-mac exclude-mac mac-address&<1-n>

undo arp source-mac exclude-mac [ mac-address&<1-n> ]

Default

No MAC address is excluded from source MAC address based ARP attack detection.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

mac-address&<1-n>: MAC address list. The mac-address argument indicates an excluded MAC address in the format H-H-H. &<1-n> indicates the number of excluded MAC addresses that you can configure. The value for the n argument is in the range of 1 to 10.

Usage guidelines

If you do not specify a MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses.

Examples

# Exclude a MAC address from source MAC based ARP attack detection.

<Sysname> system-view

[Sysname] arp source-mac exclude-mac 2-2-2

arp source-mac threshold

Use arp source-mac threshold to configure the threshold for source MAC address based ARP attack detection. If the number of ARP packets sent from a MAC address within 5 seconds exceeds this threshold, the device recognizes this as an attack.

Use undo arp source-mac threshold to restore the default.

Syntax

arp source-mac threshold threshold-value

undo arp source-mac threshold

Default

The threshold for source MAC address based ARP attack detection is 30.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

threshold-value: Specifies the threshold for source MAC address based ARP attack detection. The value is in the range of 1 to 5000.

Examples

# Configure the threshold for source MAC address based ARP attack detection as 30.

<Sysname> system-view

[Sysname] arp source-mac threshold 30

display arp source-mac

Use display arp source-mac to display ARP attack entries detected by source MAC address based ARP attack detection.

Syntax

In standalone mode:

display arp source-mac { slot slot-number | interface interface-type interface-number }

In IRF mode:

display arp source-mac { chassis chassis-number slot slot-number | interface interface-type interface number }

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

interface interface-type interface-number: Displays ARP attack entries detected on the specified interface.

slot slot-number: Displays ARP attack entries detected on an IRF member device. The slot-number argument specifies the ID of the IRF member device. (In standalone mode.)

chassis chassis-number slot slot-number: Displays ARP attack entries detected on the specified card of an IRF member device. The chassis-number argument specifies the ID of the IRF member device. The slot-number argument specifies the slot number of the card. (In IRF mode.)

Examples

# Display the ARP attack entries detected by source MAC address based ARP attack detection.

<Sysname> display arp source-mac

Source-MAC VLAN ID Interface Aging-time

23f3-1122-3344 4094 GE3/0/1 10

23f3-1122-3355 4094 GE3/0/2 30

23f3-1122-33ff 4094 GE3/0/3 25

23f3-1122-33ad 4094 GE3/0/4 30

23f3-1122-33ce 4094 GE3/0/5 2

ARP packet source MAC consistency check commands

arp valid-check enable

Use arp valid-check enable to enable ARP packet source MAC address consistency check on the gateway.

Use undo arp valid-check enable to disable ARP packet source MAC address consistency check.

Syntax

arp valid-check enable

undo arp valid-check enable

Default

ARP packet source MAC address consistency check is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Configure this feature on gateway devices.

After you execute this command, the gateway device can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.

Examples

# Enable ARP packet source MAC address consistency check.

<Sysname> system-view

[Sysname] arp valid-check enable

ARP active acknowledgement commands

arp active-ack enable

Use arp active-ack enable to enable the ARP active acknowledgement function.

Use undo arp active-ack enable to restore the default.

Syntax

arp active-ack enable

undo arp active-ack enable

Default

The ARP active acknowledgement function is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Configure this feature on gateway devices to prevent user spoofing.

Examples

# Enable the ARP active acknowledgement function.

<Sysname> system-view

[Sysname] arp active-ack enable

Authorized ARP commands

NOTE:

This feature can be configured only on Layer 3 Ethernet interfaces. For information about the operating mode of Ethernet interfaces, see Interface Configuration Guide.

arp authorized enable

Use arp authorized enable to enable authorized ARP on an interface.

Use undo arp authorized enable to restore the default.

Syntax

arp authorized enable

undo arp authorized enable

Default

Authorized ARP is not enabled on the interface.

Views

Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view, Layer 3 aggregate interface view, Layer 3 aggregate subinterface view

Predefined user roles

network-admin

mdc-admin

Examples

# Enable authorized ARP on GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname-GigabitEthernet3/0/1] port link-mode route

[Sysname-GigabitEthernet3/0/1] arp authorized enable

ARP detection commands

arp detection enable

Use arp detection enable to enable ARP detection.

Use undo arp detection enable to restore the default.

Syntax

arp detection enable

undo arp detection enable

Default

ARP detection is disabled.

Views

VLAN view

Predefined user roles

network-admin

mdc-admin

Examples

# Enable ARP detection for VLAN 2.

<Sysname> system-view

[Sysname] vlan 2

[Sysname-vlan2] arp detection enable

arp detection trust

Use arp detection trust to configure a port as an ARP trusted port.

Use undo arp detection trust to restore the default.

Syntax

arp detection trust

undo arp detection trust

Default

An interface is an ARP untrusted interface.

Views

Layer 2 Ethernet interface view, Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Examples

# Configure GigabitEthernet 3/0/1 as an ARP trusted interface.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] arp detection trust

arp detection validate

Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line.

Use undo arp detection validate to disable ARP packet validity check. If no keyword is specified, this command deletes all objects.

Syntax

arp detection validate { dst-mac | ip | src-mac } *

undo arp detection validate [ dst-mac | ip | src-mac ] *

Default

ARP packet validity check is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.

ip: Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP requests. All-zero, all-one, or multicast IP addresses are considered invalid and the corresponding packets are discarded.

src-mac: Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded.

Examples

# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.

<Sysname> system-view

[Sysname] arp detection validate dst-mac src-mac ip

arp restricted-forwarding enable

Use arp restricted-forwarding enable to enable ARP restricted forwarding.

Use undo arp restricted-forwarding enable to disable ARP restricted forwarding.

Syntax

arp restricted-forwarding enable

undo arp restricted-forwarding enable

Default

ARP restricted forwarding is disabled.

Views

VLAN view

Predefined user roles

network-admin

mdc-admin

Examples

# Enable ARP restricted forwarding in VLAN 2.

<Sysname> system-view

[Sysname] vlan 2

[Sysname-vlan2] arp restricted-forwarding enable

display arp detection

Use display arp detection to display the VLANs enabled with ARP detection.

Syntax

display arp detection

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Examples

# Display the VLANs enabled with ARP detection.

<Sysname> display arp detection

ARP detection is enabled in the following VLANs:

1-2, 4-5

Related commands

arp detection enable

display arp detection statistics

Use display arp detection statistics to display ARP detection statistics.

Syntax

display arp detection statistics [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

interface interface-type interface-number: Displays the ARP detection statistics of a specific interface.

Usage guidelines

This command displays numbers of packets discarded by user validity check and ARP packet validity check. If you do not specify any interface, the command displays statistics for all interfaces.

Examples

# Display the ARP detection statistics for all interfaces.

<Sysname> display arp detection statistics

State: U-Untrusted T-Trusted

ARP packets dropped by ARP inspect checking:

Interface(State) IP Src-MAC Dst-MAC Inspect

GE3/0/1(U) 40 0 0 78

GE3/0/2(U) 0 0 0 0

GE3/0/3(T) 0 0 0 0

GE3/0/4(U) 0 0 30 0

Table 2 Command output

Field	Description
State	State of an interface: · U—ARP untrusted interface. · T—ARP trusted interface.
Interface(State)	Inbound interface of ARP packets. State specifies the port state, trusted or untrusted.
IP	Number of ARP packets discarded due to invalid source and destination IP addresses.
Src-MAC	Number of ARP packets discarded due to invalid source MAC address.
Dst-MAC	Number of ARP packets discarded due to invalid destination MAC address.
Inspect	Number of ARP packets failed to pass user validity check.

reset arp detection statistics

Use reset arp detection statistics to clear ARP detection statistics.

Syntax

reset arp detection statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

interface interface-type interface-number: Clears the ARP detection statistics for the specified interface.

Usage guidelines

If you do not specify any interface, this command clears the statistics of all interfaces.

Examples

# Clear the ARP detection statistics of all interfaces.

<Sysname> reset arp detection statistics

ARP automatic scanning and fixed ARP commands

arp fixup

Use arp fixup to change the existing dynamic ARP entries into static ARP entries. You can use this command again to change the dynamic ARP entries learned later into static.

Syntax

arp fixup

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries.

The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports. As a result, the device may fail to change some dynamic ARP entries into static ARP entries.

Suppose that the number of dynamic ARP entries is D and that of the existing static ARP entries is S. When the dynamic ARP entries are being changed into static, new dynamic ARP entries may be created (suppose the number is M) and some of the dynamic ARP entries may be aged out (suppose the number is N). After the change process is completed, the number of static ARP entries is D + S + M – N.

To delete a specific static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command.

Examples

# Enable fixed ARP.

<Sysname> system-view

[Sysname] arp fixup

arp scan

Use arp scan to enable ARP automatic scanning in the specified address range.

Syntax

arp scan [ start-ip-address to end-ip-address ]

Views

Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view, VLAN interface view, Layer 3 aggregate interface view, Layer 3 aggregate subinterface view

Predefined user roles

network-admin

mdc-admin

Parameters

start-ip-address: Specifies the start IP address of the scanning range.

end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.

Usage guidelines

If the start and end IP addresses are specified, the device scans the neighbor IP addresses in the specified address range to learn ARP entries. If the sending interface has multiple IP addresses falling within the specified address range, the sender IP address in the sent ARP requests is the interface address on the smallest network segment.

If you do not specify any address range, the device only scans neighbors on the network where the primary IP address of the interface resides. The sender IP address in the ARP requests is the primary IP address of the interface.

The start IP address and end IP address must be on the same network as the primary IP address or manually configured secondary IP addresses of the interface.

IP addresses already exist in ARP entries are not scanned.

ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.

Examples

# Configure the device to scan the neighbors on the network where the primary IP address of VLAN-interface 2 resides.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] arp scan

# Configure the device to scan neighbors on the specified address range.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] arp scan 1.1.1.1 to 1.1.1.20

ARP gateway protection commands

arp filter source

Use arp filter source to enable ARP gateway protection for a specific gateway.

Use undo arp filter source to disable ARP gateway protection for the specified gateway.

Syntax

arp filter source ip-address

undo arp filter source ip-address

Default

ARP gateway protection is disabled.

Views

Layer 2 Ethernet interface view, Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Parameters

ip-address: Specifies the IP address of a protected gateway.

Usage guidelines

You can enable ARP gateway protection for up to eight gateways on an interface.

You cannot configure both arp filter source and arp filter binding commands on the same interface.

Examples

# Enable ARP gateway protection for the gateway with IP address 1.1.1.1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] arp filter source 1.1.1.1

ARP filtering commands

arp filter binding

Use arp filter binding to configure an ARP permitted entry. If the sender IP and MAC addresses of an ARP packet match an ARP permitted entry, the ARP packet is permitted. If not, it is discarded.

Use undo arp filter binding to remove an ARP permitted entry.

Syntax

arp filter binding ip-address mac-address

undo arp filter binding ip-address

Default

No ARP permitted entry is configured.

Views

Layer 2 Ethernet interface view, Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Parameters

ip-address: Permitted sender IP address.

mac-address: Permitted sender MAC address.

Usage guidelines

You can configure up to eight ARP permitted entries on an interface.

You cannot configure both the arp filter source and arp filter binding commands on the same interface.

Examples

# Configure an ARP permitted entry.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] arp filter binding 1.1.1.1 2-2-2

10-Security Command Reference

display arp source-suppression

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us