No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
The ARP Entry of an Authorized User Is Maliciously Modified

The ARP Entry of an Authorized User Is Maliciously Modified

Common Causes

This fault is commonly caused by the following:

  • An attacker sends bogus ARP packets to modify the ARP entry of the authorized user.

Troubleshooting Flowchart

An authorized user is disconnected from the Internet, but the links and routes are normal. The possible cause is that an attacker sends bogus ARP packets to modify the ARP entry of the user on the gateway. As a result, this user is disconnected from the network.

Figure 22-8 shows the troubleshooting flowchart.
Figure 22-8  Troubleshooting flowchart for malicious modification to the ARP entry of an authorized user

Troubleshooting Procedure


Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, you will have a record of your actions to provide Huawei technical support personnel.


  1. Run the display arp anti-attack configuration entry-check command on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 to check that ARP anti-spoofing is enabled.

    • If the following information is displayed, ARP anti-spoofing is not enabled.
      ARP anti-attack entry-check mode: disabled
      Run the arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable command to enable ARP anti-spoofing.

      Before enabling ARP anti-spoofing, run the reset arp interface interface-type interface-number command to delete the ARP entries learned by the user-side interface.

    • If the mode of ARP anti-spoofing is set to send-ack, go to step 2.
    • If the mode of ARP anti-spoofing is set to fixed-mac, go to step 3.
    • If the mode of ARP anti-spoofing is set to fixed-all, go to step 4.

  2. Perform the following steps to locate the fault in send-ack mode.

    1. Capture packets on the user-side interface by configuring port mirroring. If the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 does not send an ARP request, go to step 4.
    2. If the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 sends ARP requests but does not receive an ARP reply, check that the network connection between the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 and the user is normal.
    3. If the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 receives ARP reply packets from the user, run the display cpu-defend statistics packet-type arp-reply command to check statistics about ARP reply packets. If the number of dropped ARP reply packets keeps increasing, the possible cause is that the rate of ARP reply packets exceeds the CPCAR. In this case, increase the rate limit value by using the packet-type command.
    4. If the fault persists, go to step 4.

  3. Run the display arp all | include ip-address command to check the modified information in the ARP entry.

    If the interface number or VLAN ID is changed, you do not need to take any action because it is normal in fixed-mac mode. If the MAC address is changed, go to step 4.

  4. Collect the following information and contact technical support personnel:

    • Results of the preceding troubleshooting procedure
    • Configuration file, log file, and alarm file of the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600

Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 443990

Downloads: 4295

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next