No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ARP Security Configuration Commands

ARP Security Configuration Commands

NOTE:
  • Among the AR500 series routers, only AR502G-L-D-H, AR502GR-L-D-H do not support ARP security.

arp anti-attack check user-bind alarm enable

Function

The arp anti-attack check user-bind alarm enable command enables the alarm function for ARP packets discarded by DAI.

The undo arp anti-attack check user-bind alarm enable command disables the alarm function for ARP packets discarded by DAI.

By default, the alarm function for ARP packets discarded by DAI is disabled.

NOTE:

AR502G-L-D-H, and AR502GR-L-D-H do not support this command.

AR510 series does not support this command.

Format

arp anti-attack check user-bind alarm enable

undo arp anti-attack check user-bind alarm enable

Parameters

None

Views

Ethernet interface view, GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After DAI is enabled, if you want to receive an alarm when a large number of ARP packets are discarded by DAI, you can run the arp anti-attack check user-bind alarm enable command. After the alarm function is enabled, the device sends an alarm when the number of discarded ARP packets exceeds the threshold.

The alarm threshold is set by the arp anti-attack check user-bind alarm threshold command.

Prerequisites

DAI has been enabled on the interface using the arp anti-attack check user-bind enable command.

Precautions

Since the default interval for sending ARP alarms is 0 (that is, no ARP alarm is sent), you must run the arp anti-attack log-trap-timer time command to increase the alarm sending interval after enabling the alarm for packets discarded by DAI.

This command can be used only on Layer 2 interfaces.

Example

# Enable the alarm function for ARP packets discarded by DAI on Eth0/0/1.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] arp anti-attack check user-bind enable
[Huawei-Ethernet0/0/1] arp anti-attack check user-bind alarm enable

arp anti-attack check user-bind alarm threshold

Function

The arp anti-attack check user-bind alarm threshold command sets the alarm threshold for ARP packets discarded by DAI.

The undo arp anti-attack check user-bind alarm threshold command restores the default alarm threshold for ARP packets discarded by DAI.

The threshold on interfaces is consistent with the threshold set by the arp anti-attack check user-bind alarm threshold command in the system view. If the alarm threshold is not set in the system view, the default threshold on the interface is 100.

NOTE:

AR502G-L-D-H, and AR502GR-L-D-H do not support this command.

AR510 series does not support this command.

Format

System view :

arp anti-attack check user-bind alarm threshold threshold

undo arp anti-attack check user-bind alarm threshold

Interface view :

arp anti-attack check user-bind alarm threshold threshold

Parameters

Parameter Description Value
threshold Specifies the alarm threshold for the ARP packets discarded by DAI. The value is an integer that ranges from 1 to 1000.

Views

System view, Ethernet interface view, GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can use this command to set the alarm threshold for ARP packets discarded by DAI. After the alarm threshold is set, the device sends an alarm when the number of ARP packets discarded by DAI exceeds this threshold.

Prerequisites

DAI has been enabled using the arp anti-attack check user-bind enable command in the interface view, and the alarm function for ARP packets discarded by DAI has been enabled using the arp anti-attack check user-bind alarm enable command.

Precautions

The arp anti-attack check user-bind alarm threshold command takes effect in the system view only when DAI and the alarm function for ARP packets discarded by DAI are enabled on the interface. The global alarm threshold takes effect on all interfaces enabled with the two functions.

If the alarm thresholds are set in the interface view and system view, the alarm threshold configured in the interface view takes effect. If the alarm threshold on an interface is not configured, the global alarm threshold is used.

The arp anti-attack check user-bind alarm threshold command can be used only on Layer 2 interfaces.

Example

# Set the alarm threshold for ARP packets discarded by DAI on Eth0/0/1 to 200.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] arp anti-attack check user-bind enable
[Huawei-Ethernet0/0/1] arp anti-attack check user-bind alarm enable
[Huawei-Ethernet0/0/1] arp anti-attack check user-bind alarm threshold 200

arp anti-attack check user-bind check-item (interface view)

Function

The arp anti-attack check user-bind check-item command configures check items for ARP packet check based on binding entries on an interface.

The undo arp anti-attack check user-bind check-item command restores the default check items.

By default, the check items consist of IP address, MAC address, and VLAN ID.

NOTE:

AR502G-L-D-H, and AR502GR-L-D-H do not support this command.

AR510 series does not support this command.

Format

arp anti-attack check user-bind check-item { ip-address | mac-address | vlan } *

undo arp anti-attack check user-bind check-item

Parameters

Parameter Description Value
ip-address Indicates that the device checks IP addresses in ARP packets. -
mac-address Indicates that the device checks MAC addresses in ARP packets. -
vlan Indicates that the device checks VLAN IDs in ARP packets. -

Views

Ethernet interface view, GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a device receives an ARP packet, it compares the source IP address, source MAC address, and VLAN ID of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

To allow some special ARP packets that match only one or two items in binding entries to pass through, use the arp anti-attack check user-bind check-item command to configure the device to check ARP packets according to one or two specified items in binding entries.

Prerequisites

DAI has been enabled on the interface using the arp anti-attack check user-bind enable command.

Precautions

Check items configured for ARP packet check based on binding entries do not take effect on hosts that are configured with static binding entries. These hosts check ARP packets based on all items in static binding entries.

This command can be used only on Layer 2 interfaces.

Example

# Configure Eth0/0/1 to check IP addresses in ARP packets.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] arp anti-attack check user-bind enable
[Huawei-Ethernet0/0/1] arp anti-attack check user-bind check-item ip-address

arp anti-attack check user-bind check-item (VLAN view)

Function

The arp anti-attack check user-bind check-item command configures check items for ARP packet check based on binding entries in a VLAN.

The undo arp anti-attack check user-bind check-item command restores the default check items.

By default, the check items consist of IP address, MAC address, and interface number.

NOTE:

AR502G-L-D-H, and AR502GR-L-D-H do not support this command.

AR510 series does not support this command.

Format

arp anti-attack check user-bind check-item { ip-address | mac-address | interface } *

undo arp anti-attack check user-bind check-item

Parameters

Parameter Description Value
ip-address Indicates that the device checks IP addresses in ARP packets. -
mac-address Indicates that the device checks MAC addresses in ARP packets. -
interface Indicates that the device checks interface numbers in ARP packets. -

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a device receives an ARP packet, it compares the source IP address, source MAC address, and interface number of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

To allow some special ARP packets that match only one or two items in binding entries to pass through, configure the device to check ARP packets according to one or two specified items in binding entries.

Prerequisites

DAI has been enabled in the VLAN using the arp anti-attack check user-bind enable command.

Precautions

Check items configured for ARP packet check based on binding entries do not take effect on hosts that are configured with static binding entries. These hosts check ARP packets based on all items in static binding entries.

Example

# Configure the device to check IP addresses in ARP packets from VLAN 100.

<Huawei> system-view
[Huawei] vlan 100
[Huawei-vlan100] arp anti-attack check user-bind enable
[Huawei-vlan100] arp anti-attack check user-bind check-item ip-address

arp anti-attack check user-bind enable

Function

The arp anti-attack check user-bind enable command enables DAI on an interface or in a VLAN. DAI enables the device to check ARP packets based on binding entries.

The undo arp anti-attack check user-bind enable command disables DAI on an interface or in a VLAN.

By default, DAI is disabled on an interface or in a VLAN.

NOTE:

AR502G-L-D-H, and AR502GR-L-D-H do not support this command.

AR510 series does not support this command.

Format

arp anti-attack check user-bind enable

undo arp anti-attack check user-bind enable

Parameters

None

Views

Ethernet interface view, GE interface view, port group view, Eth-Trunk interface view, VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent MITM attacks and theft on authorized user information, run the arp anti-attack check user-bind enable command to enable DAI. When a device receives an ARP packet, it compares the source IP address, source MAC address, VLAN ID, and interface number of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

You can enable DAI in the interface view or the VLAN view. When DAI is enabled in an interface view, the device checks all ARP packets received on the interface against binding entries. When DAI is enabled in the VLAN view, the device checks ARP packets received on interfaces belong to the VLAN based on binding entries.

This command can be used only on Layer 2 interfaces.

Follow-up Procedure

Run the arp anti-attack check user-bind check-item (interface view) or arp anti-attack check user-bind check-item (VLAN view) command to configure check items for ARP packet check based on binding entries.

Example

# Enable DAI on Eth0/0/1.
<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] arp anti-attack check user-bind enable
# Enable DAI in VLAN 100.
<Huawei> system-view
[Huawei] vlan 100
[Huawei-vlan100] arp anti-attack check user-bind enable

arp anti-attack entry-check enable

Function

The arp anti-attack entry-check enable command enables ARP entry fixing.

The undo arp anti-attack entry-check enable command disables ARP entry fixing.

By default, ARP entry fixing is disabled.

Format

arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

undo arp anti-attack entry-check enable

Parameters

Parameter Description Value
fixed-mac

Indicates ARP entry fixing in fixed-mac mode.

When receiving an ARP packet, the device discards the packet if the MAC address does not match the MAC address in the corresponding ARP entry. If the MAC address in the ARP packet matches that in the corresponding ARP entry while the interface number or VLAN ID does not match that in the ARP entry, the device updates the interface number or VLAN ID in the ARP entry.

-
fixed-all

Indicates ARP entry fixing in fixed-all mode.

When the MAC address, interface number, and VLAN ID of an ARP packet match those in the corresponding ARP entry, the device updates other information about the ARP entry.

-
send-ack

Indicates ARP entry fixing in send-ack mode.

When the device receives an ARP packet with a changed MAC address, interface number, or VLAN ID, it does not immediately update the corresponding ARP entry. Instead, the device sends a unicast ARP Request packet to the user with the IP address mapped to the original MAC address in the ARP entry, and then determines whether to change the MAC address, VLAN ID, or interface number in the ARP entry depending on the response from the user.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To defend against ARP address spoofing attacks, enable ARP entry fixing. The fixed-mac, fixed-all, and send-ack modes are applicable to different scenarios and are mutually exclusive:
  • The fixed-mac mode applies to networks where user MAC addresses are unchanged but user access locations often change. When a user connects to a different interface on the device, the device updates interface information in the ARP entry of the user timely.
  • The fixed-all mode applies to networks where user MAC addresses and user access locations are fixed.
  • The send-ack mode applies to networks where user MAC addresses and user access locations often change.

Example

# Enable ARP entry fixing and specify the fixed-mac mode.
<Huawei> system-view
[Huawei] arp anti-attack entry-check fixed-mac enable

arp anti-attack gateway-duplicate enable

Function

The arp anti-attack gateway-duplicate enable command enables ARP gateway anti-collision.

The undo arp anti-attack gateway-duplicate enable command disables ARP gateway anti-collision.

By default, ARP gateway anti-collision is disabled.

NOTE:

AR502G-L-D-H, and AR502GR-L-D-H do not support this command.

AR510 series does not support this command.

Format

arp anti-attack gateway-duplicate enable

undo arp anti-attack gateway-duplicate enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an attacker forges the gateway address to send ARP packets with the source IP address being the IP address of the gateway on the LAN, ARP entries on hosts in the LAN record the incorrect gateway address. As a result, all traffic from user hosts to the gateway is sent to the attacker and the attacker intercepts user information. Communication of users is interrupted.

To prevent bogus gateway attacks, enable ARP gateway anti-collision on the gateway using the arp anti-attack gateway-duplicate enable command. The gateway considers that a gateway collision occurs when a received ARP packet meets either of the following conditions:
  • The source IP address in the ARP packet is the same as the IP address of the VLANIF interface matching the physical inbound interface of the packet.
  • The source IP address in the ARP packet is the virtual IP address of the inbound interface but the source MAC address in the ARP packet is not the virtual MAC address of the VRRP group.
The device generates an ARP anti-collision entry and discards the received packets with the same source MAC address and VLAN ID in a specified period. This function prevents ARP packets with the bogus gateway address from being broadcast in a VLAN.

Precautions

A maximum of 100 ARP anti-attack entries exist on the device at the same time. When the maximum number is exceeded, the device cannot prevent new ARP gateway collision attacks.

Example

# Enable ARP gateway anti-collision.

<Huawei> system-view
[Huawei] arp anti-attack gateway-duplicate enable

arp anti-attack log-trap-timer

Function

The arp anti-attack log-trap-timer command sets the interval for sending ARP alarms.

The undo arp anti-attack log-trap-timer command restores the default setting.

The default interval for sending alarms is 0, indicating that the device does not send ARP alarms.

Format

arp anti-attack log-trap-timer time

undo arp anti-attack log-trap-timer

Parameters

Parameter Description Value
time Specifies the interval for sending ARP alarms. The value is an integer that ranges from 0 to 1200, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To allow the administrator to learn the ARP running status in real time, define potential attacks, and take measures, the device provides the alarm function for potential ARP attacks. This function records exceptions of ARP running in real time. To avoid excessive alarms when ARP attacks occur, reduce the alarm quantity by setting a proper interval for sending alarms.

NOTE:
The arp anti-attack log-trap-timer command takes effect only on the following alarms:
  • SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.4 hwARPSDaiDropALarm
  • SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.5 hwARPGlobleSpeedLimitALarm
  • SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.8 hwARPMissGlobleSpeedLimitALarm
  • SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.3 hwARPSPacketCheck
  • SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.1 hwARPSGatewayConflict
  • SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.2 hwARPSEntryCheck

Precautions

In the insecure environment, you are advised to extend the interval for sending ARP alarms. This prevents excessive ARP alarms. In the secure environment, you are advised to shorten the interval for sending ARP alarms. This facilitates fault rectification in real time.

After the interval is set, the device discards alarms generates in this interval; therefore, some faults cannot be rectified in real time.

Example

# Set the interval for sending ARP alarms to 20 seconds.

<Huawei> system-view
[Huawei] arp anti-attack log-trap-timer 20

arp anti-attack packet-check sender-mac

Function

The arp anti-attack packet-check sender-mac command checks whether the source MAC address in an ARP packet is the same as that in the Ethernet frame header.

The undo arp anti-attack packet-check sender-mac command disables ARP packet validity check.

By default, ARP packet validity check is disabled.

Format

arp anti-attack packet-check sender-mac

undo arp anti-attack packet-check sender-mac

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After receiving an ARP packet, the device checks validity of the ARP packet, including:
  • Packet length
  • Validity of the source and destination MAC addresses in the ARP packet
  • ARP Request type and ARP Reply type
  • MAC address length
  • IP address length
  • Whether the ARP packet is an Ethernet frame
The preceding check items are used to determine whether an ARP packet is valid. The packet with different source MAC addresses in the ARP packet and Ethernet frame header is possibly an attack packet although it is allowed by the ARP protocol. After the arp anti-attack packet-check sender-mac command is used, the device checks the source MAC addresses in the ARP packet and Ethernet frame header, and discards the packets with inconsistent source MAC addresses.

Precautions

The arp validate command can be used to configure the device to check whether the source MAC address in an ARP packet is the same as that in the Ethernet frame header. This command is different from the arp anti-attack packet-check sender-mac command.
  • The arp validate command configures ARP packet validity check only on a physical interface. The arp anti-attack packet-check sender-mac command configures ARP packet validity check globally.
  • The arp validate command checks whether the source and destination MAC addresses in an ARP packet are the same as those in the Ethernet frame header. The arp anti-attack packet-check sender-mac command checks whether the source MAC address in an ARP packet is the same as that in the Ethernet frame header.

Example

# Enable ARP packet validity check to allow the device to check the source MAC address in an ARP packet.

<Huawei> system-view
[Huawei] arp anti-attack packet-check sender-mac

arp anti-attack rate-limit

Function

The arp anti-attack rate-limit command sets the maximum rate and rate limiting duration of ARP packets globally or on an interface.

The undo arp anti-attack rate-limit command restores the default maximum rate and rate limiting duration of ARP packets globally or on an interface.

By default, a maximum of 100 ARP packets are allowed to pass per second.

Format

arp anti-attack rate-limit packet-number [ interval-value ]

undo arp anti-attack rate-limit

Parameters

Parameter

Description

Value

packet-number

Specifies the maximum rate of sending ARP packets, that is, the number of ARP packets allowed to pass through in the rate limiting duration.

The value is an integer that ranges from 1 to 32768. The default value is 100.

interval-value

Specifies the rate limiting duration of ARP packets.

The value is an integer that ranges from 1 to 86400, in seconds. The default value is 1 second.

Views

System view, Ethernet interface view, GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP packets is enabled, run the arp anti-attack rate-limit command to set the maximum rate and rate limiting duration of ARP packets globally or on an interface. In the rate limiting duration, if the number of received ARP packets exceeds the limit, the device discards the excess ARP packets.

Prerequisites

Rate limit on ARP packets has been enabled globally or on an interface using the arp anti-attack rate-limit enable command.

Precautions

If the maximum rate and rate limiting duration are configured in the system view and interface view at the same time, the device uses the configurations in the interface view and system view in order.

Example

# Configure Eth0/0/1 to allow 200 ARP packets to pass through in 10 seconds.
<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] arp anti-attack rate-limit enable
[Huawei-Ethernet0/0/1] arp anti-attack rate-limit 200 10

arp anti-attack rate-limit alarm enable

Function

The arp anti-attack rate-limit alarm enable command enables the alarm function for ARP packets discarded when the rate of ARP packets exceeds the limit.

The undo arp anti-attack rate-limit alarm enable command disables the alarm function for ARP packets discarded when the rate of ARP packets exceeds the limit.

By default, the alarm function for ARP packets discarded when the rate of ARP packets exceeds the limit is disabled.

Format

arp anti-attack rate-limit alarm enable

undo arp anti-attack rate-limit alarm enable

Parameters

None

Views

System view, Ethernet interface view, GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP packets is enabled, if you want the device to generate alarms for excessive discarded ARP packets, run the arp anti-attack rate-limit alarm enable command. When the number of discarded ARP packets exceeds the alarm threshold, the device generates an alarm.

You can set the alarm threshold using the arp anti-attack rate-limit alarm threshold command.

Prerequisites

Rate limit on ARP packets has been enabled using the arp anti-attack rate-limit enable command.

Precautions

After the arp anti-attack rate-limit alarm enable command is run, you need to run the arp anti-attack log-trap-timer time command to set the interval for sending alarms.

Example

# Enable rate limit on ARP packets globally and enable the alarm function.

<Huawei> system-view
[Huawei] arp anti-attack rate-limit enable
[Huawei] arp anti-attack rate-limit alarm enable

arp anti-attack rate-limit alarm threshold

Function

The arp anti-attack rate-limit alarm threshold command sets the alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit.

By default, the alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit is 100.

Format

arp anti-attack rate-limit alarm threshold threshold

Parameters

Parameter Description Value
threshold Specifies the alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit. The value is an integer that ranges from 1 to 32768.

Views

System view, Ethernet interface view, GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can use the arp anti-attack rate-limit alarm threshold command to set the alarm threshold. When the number of discarded ARP packets exceeds the alarm threshold, the device generates an alarm.

Prerequisites

Rate limit on ARP packets has been enabled using the arp anti-attack rate-limit enable command, and the alarm function has been enabled using the arp anti-attack rate-limit alarm enable command.

Example

# Enable rate limit on ARP packets globally, enable the alarm function, and set the alarm threshold to 50.

<Huawei> system-view
[Huawei] arp anti-attack rate-limit enable
[Huawei] arp anti-attack rate-limit alarm enable
[Huawei] arp anti-attack rate-limit alarm threshold 50

arp anti-attack rate-limit enable

Function

The arp anti-attack rate-limit enable command enables rate limit on ARP packets.

The undo arp anti-attack rate-limit enable command disables rate limit on ARP packets.

By default, rate limiting on ARP packet is disabled.

Format

arp anti-attack rate-limit enable

undo arp anti-attack rate-limit enable

Parameters

None

Views

System view, Ethernet interface view, GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

The device has no sufficient CPU resource to process other services when processing a large number of ARP packets. To protect CPU resources of the device, limit the rate of ARP packets.

You can run the arp anti-attack rate-limit enable command to enable rate limit on ARP packets. When the rate of ARP packets exceeds the limit, excess ARP packets are discarded. To set the rate limit and rate limiting duration of ARP packets, run the arp anti-attack rate-limit command.

Example

# Enable rate limit on ARP packets globally.

<Huawei> system-view
[Huawei] arp anti-attack rate-limit enable

arp gratuitous-arp send enable

Function

The arp gratuitous-arp send enable command enables gratuitous ARP packet sending.

The undo arp gratuitous-arp send enable command disables gratuitous ARP packet sending.

By default, gratuitous ARP packet sending is disabled.

Format

arp gratuitous-arp send enable

undo arp gratuitous-arp send enable

Parameters

None

Views

System view, VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an attacker forges the gateway address to send ARP packets to other user hosts, ARP entries on the hosts record the incorrect gateway address. As a result, the gateway cannot receive data sent from the hosts. You can enable gratuitous ARP packet sending on the gateway. Then the gateway sends gratuitous ARP packets at intervals to update the ARP entries of authorized users so that the ARP entries contain the correct MAC address of the gateway.

By default, the device sends a gratuitous ARP packet every 90 seconds after this function is enabled. You can also set the interval using the arp gratuitous-arp send interval command.

Precautions

After you run the arp gratuitous-arp send enable command in the system view, gratuitous ARP packet sending is enabled on all VLANIF interfaces.

After you run the undo arp gratuitous-arp send enable command in the system view, gratuitous ARP packet sending is disabled on all VLANIF interfaces.

Example

# Enable gratuitous ARP packet sending on VLANIF 10.

<Huawei> system-view
[Huawei] interface vlanif 10
[Huawei-Vlanif10] arp gratuitous-arp send enable

arp gratuitous-arp send interval

Function

The arp gratuitous-arp send interval command sets the interval for sending gratuitous ARP packets.

The undo arp gratuitous-arp send interval command restores the default interval for sending gratuitous ARP packets.

By default, the interval for sending gratuitous ARP packets is 90 seconds.

Format

arp gratuitous-arp send interval interval-time

undo arp gratuitous-arp send interval

Parameters

Parameter

Description

Value

interval-time

Specifies the interval for sending gratuitous ARP packets.

The value is an integer that ranges from 1 to 86400, in seconds.

Views

System view, VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the device sends a gratuitous ARP packet every 90 seconds after gratuitous ARP sending is enabled. You can set the interval for sending gratuitous ARP packets using the arp gratuitous-arp send interval command.

If you set the interval in the system view, the configuration takes effect on all VLANIF interfaces. If you set the interval in both the system view and VLANIF interface view, the configuration on the VLANIF interface takes precedence over the global configuration.

Prerequisites

Gratuitous ARP packet sending has been enabled using the arp gratuitous-arp send enable command.

Example

# Set the interval for sending gratuitous ARP packets to 100 seconds on VLANIF 10.

<Huawei> system-view
[Huawei] interface vlanif 10
[Huawei-Vlanif10] arp gratuitous-arp send enable
[Huawei-Vlanif10] arp gratuitous-arp send interval 100

arp learning dhcp-trigger

Function

The arp learning dhcp-trigger command enables ARP learning triggered by DHCP.

The undo arp learning dhcp-trigger command disables ARP learning triggered by DHCP.

By default, ARP learning triggered by DHCP is disabled.

NOTE:

AR502G-L-D-H, and AR502GR-L-D-H do not support this command.

AR510 series does not support this command.

Format

arp learning dhcp-trigger

undo arp learning dhcp-trigger

Parameters

None

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When many DHCP users connect to a network device, the device needs to learn and maintain many ARP entries. This affects device performance.

To address this issue, configure ARP learning triggered by DHCP on the gateway. When the DHCP server allocates an IP address for a user, the gateway generates an ARP entry for the user based on the DHCP ACK packet received on the VLANIF interface.

Precautions

Before using this command, ensure that DHCP snooping is enabled using the dhcp snooping enable command.

When both VRRP and DHCP relay are configured on the network, neither the dhcp snooping enable command nor the arp learning dhcp-trigger command can be configured on the VRRP master and backup devices.

Example

# Enable ARP learning triggered by DHCP on VLANIF 100.

<Huawei> system-view
[Huawei] vlan batch 100
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] interface vlanif 100
[Huawei-Vlanif100] arp learning dhcp-trigger
Related Topics

arp learning strict (interface view)

Function

The arp learning strict command enables strict ARP learning on the interface.

The undo arp learning strict command restores the global configuration on the interface.

By default, the configuration of strict ARP learning is the same as the global configuration.

Format

arp learning strict { force-enable | force-disable | trust }

undo arp learning strict

Parameters

Parameter Description Value
force-enable Indicates that strict ARP learning is enabled. -
force-disable Indicates that strict ARP learning is disabled. -
trust Indicates that the configuration of strict ARP learning is the same as the global configuration.
NOTE:

The effect of the trust parameter is the same as the effect of the undo arp learning strict command.

-

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If many user hosts send a large number of ARP packets to a device simultaneously, or attackers send bogus ARP packets to the device, the following problems occur:
  • Processing ARP packets consumes many CPU resources. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.
  • After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a result, authorized users cannot communicate with each other.

To avoid the preceding problems, enable strict ARP learning on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself, but does not allow the device to learn the ARP entries for the ARP packets received from other devices. In this way, the device can defend against most ARP attacks.

Precautions

The configuration on an interface takes precedence over the global configuration.

When ARP attacks occur on many interfaces of the device, you can run the arp learning strict (system view) command to enable strict ARP learning globally.

This command can be used only on Layer 3 interfaces.

Example

# Enable strict ARP learning on VLANIF 100.
<Huawei> system-view
[Huawei] vlan 100
[Huawei-vlan100] quit
[Huawei] interface vlanif 100
[Huawei-Vlanif100] arp learning strict force-enable

arp learning strict (system view)

Function

The arp learning strict command enables strict ARP learning.

The undo arp learning strict command restores the default setting.

By default, strict ARP learning is disabled.

Format

arp learning strict

undo arp learning strict

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If many user hosts send a large number of ARP packets to a device simultaneously, or attackers send bogus ARP packets to the device, the following problems occur:
  • Processing ARP packets consumes many CPU resources. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.
  • After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a result, authorized users cannot communicate with each other.

To avoid the preceding problems, enable strict ARP learning on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. In this way, the device can defend against most ARP attacks.

Precautions

The configuration on an interface takes precedence over the global configuration.

Example

# Enable strict ARP learning.

<Huawei> system-view
[Huawei] arp learning strict

arp speed-limit flood-rate

Function

The arp speed-limit flood-rate command sets the maximum rate of broadcasting ARP Request packets on VLANIF interfaces in all super-VLANs.

The undo arp speed-limit flood-rate command restores the default maximum rate of broadcasting ARP Request packets on VLANIF interfaces in all super-VLANs.

By default, the maximum rate of broadcasting ARP Request packets on VLANIF interfaces in all super-VLANs is 1000 pps.

Format

arp speed-limit flood-rate rate

undo arp speed-limit flood-rate

Parameters

Parameter

Description

Value

rate

Specifies the maximum rate of broadcasting ARP Request packets.

The value is an integer that ranges from 0 to 32768, in pps. The value 0 indicates that the rate of broadcasting ARP packets is not limited.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

A VLANIF interface in a super-VLAN is triggered to learn ARP entries in the following scenarios:

  • The VLANIF interface receives IP packets triggering ARP Miss messages.
  • The VLANIF interface is enabled with ARP proxy and receives ARP packets whose destination IP addresses meet the proxy requirements and match no ARP entry.

The VLANIF interface replicates ARP Request packets in each sub-VLAN when learning ARP entries. If a large number of sub-VLANs are configured for the super-VLAN, the device generates a large number of ARP Request packets. As a result, the CPU is busy processing ARP Request packets, and other services are affected. To prevent this problem, limit the rate of ARP packets on the VLANIF interface of a super-VLAN.

When the CPU is busy processing packets, set the maximum rate of broadcasting ARP Request packets to a small value. When the CPU is idle, set the maximum rate of broadcasting ARP Request packets to a large value to broadcast packets efficiently. You can set the maximum rate of broadcasting ARP Request packets based on the actual network environment.

Example

# Set the maximum rate of broadcasting ARP Request packets on VLANIF interfaces in all super-VLANs to 500 pps.

<Huawei> system-view
[Huawei] arp speed-limit flood-rate 500

arp speed-limit source-mac

Function

The arp speed-limit source-mac command sets the maximum rate of ARP packets based on source MAC addresses.

The undo arp speed-limit source-mac command restores the default setting.

By default, the maximum rate of ARP packets from each source MAC address is set to 0, that is, the rate of ARP packets is not limited based on source MAC addresses.

Format

arp speed-limit source-mac [ mac-address ] maximum maximum

undo arp speed-limit source-mac [ mac-address ]

Parameters

Parameter Description Value
mac-address

Specifies the source MAC address. If this parameter is specified, the rate of ARP packets from the MAC address is limited.

If this parameter is not specified, the rate of ARP packets from each MAC address is limited.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

maximum maximum

Specifies the maximum rate of ARP packets from a specified MAC address.

The value is an integer that ranges from 0 to 32768, in pps.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When processing a large number of ARP packets with fixed source MAC addresses but variable source IP addresses, the CPU is overloaded and ARP entries are exhausted. To prevent this problem, limit the rate of ARP packets based on source MAC addresses.

After the arp speed-limit source-mac command is run, the device collects statistics on ARP packets from a specified source MAC address. If the number of ARP packets from a specified source IP address per second exceeds the threshold, the device discards the excess ARP packets.

Precautions

Limiting the rate of all ARP packets is not recommended. You are advised to find out the attack source according to packet statistics, and then limit the rate of ARP packets from the specified source MAC address.

Example

# Set the maximum rate of ARP packets from any source MAC address to 100 pps.

<Huawei> system-view
[Huawei] arp speed-limit source-mac maximum 100

# Set the maximum rate of ARP packets from a specified MAC address 0000-0000-0001 to 50 pps.

<Huawei> system-view
[Huawei] arp speed-limit source-mac 0000-0000-0001 maximum 50

arp speed-limit source-ip

Function

The arp speed-limit source-ip command sets the maximum rate of ARP packets based on the source IP address.

The undo arp speed-limit source-ip command restores the default setting.

By default, the device allows a maximum of 5 ARP packets from the same source IP address to pass through per second.

Format

arp speed-limit source-ip [ ip-address ] maximum maximum

undo arp speed-limit source-ip [ ip-address ]

Parameters

Parameter Description Value
ip-address

Specifies the source IP address. If this parameter is specified, the rate of ARP packets from the IP address is limited.

If this parameter is not specified, the rate of ARP packets from each IP address is limited.

The value is in dotted decimal notation.
maximum maximum

Specifies the maximum rate of ARP packets from a specified source IP address.

NOTE:

If the rate of all ARP packets is limited, a large value is recommended because valid packets may be discarded if the value is small. However, a too large value will deteriorate the system performance. If an IP address initiates attacks, you can set the maximum number of ARP Miss messages triggered by packets from this IP address to a small value.

The value is an integer that ranges from 0 to 32768, in pps. If the value is 0, the rate of ARP packets is not limited based on the source IP address.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When processing a large number of ARP packets with fixed IP addresses (for example, the ARP packets with the same source IP addresses but frequently changing MAC addresses or outbound interfaces), the CPU is overloaded and cannot process other services. To prevent this problem, limit the rate of ARP packets based on the source IP address.

After the arp speed-limit source-ip command is run, the device collects statistics on ARP packets based on the source IP address. If the number of ARP packets from a specified source IP address per second exceeds the threshold, the device discards the excess ARP packets.

Precautions

Limiting the rate of all ARP packets is not recommended. You are advised to find out the attack source according to packet statistics, and then limit the rate of ARP packets from the specified source IP address.

Example

# Set the maximum rate of ARP packets from a source IP address to 100 pps.

<Huawei> system-view
[Huawei] arp speed-limit source-ip maximum 100

# Set the maximum rate of ARP packets from a specified IP address 10.0.0.1 to 50 pps.

<Huawei> system-view
[Huawei] arp speed-limit source-ip 10.0.0.1 maximum 50

arp validate(interface view)

Function

The arp validate command enables MAC address consistency check in an ARP packet on an interface. This function compares the source and destination MAC addresses in ARP packets with those in the Ethernet frame header.

The undo arp validate command disables MAC address consistency check in an ARP packet on an interface.

By default, MAC address consistency check in an ARP packet is disabled.

Format

arp validate { source-mac | destination-mac } *

undo arp validate { source-mac | destination-mac } *

Parameters

Parameter Description Value
source-mac Indicates that the device compares the source MAC address in a received ARP packet with that in the Ethernet frame header. -
destination-mac Indicates that the device compares the destination MAC address in a received ARP packet with that in the Ethernet frame header. -

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The MAC address consistency check function for ARP packets prevents attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header. This function is usually configured on gateways.

After the arp validate command is run, the gateway checks the MAC address consistency in an ARP packet before ARP learning. If the source and destination MAC addresses in an ARP packet are different from those in the Ethernet frame header, the device discards the packet as an attack. If the source and destination MAC addresses in an ARP packet are the same as those in the Ethernet frame header, the device performs ARP learning.

When using this command, note the following points:
  • If source-mac is specified:
    • When receiving an ARP Request packet, the device checks only the source MAC address consistency.
    • When receiving an ARP Reply packet, the device checks only the source MAC address consistency.
  • If destination-mac is specified:
    • When receiving an ARP Request packet, the device does not check the destination MAC address consistency because the ARP Request packet is broadcast.

    • When receiving an ARP Reply packet, the device checks the destination MAC address consistency.
  • If source-mac and destination-mac are specified:
    • When receiving an ARP Request packet, the device checks only the source MAC address consistency.
    • When receiving an ARP Reply packet, the device checks the source and destination MAC address consistency.

Precautions

Sub-interfaces do not support the arp validate command. When receiving ARP packets, a sub-interface checks MAC address consistency based on the rule configured on the primary interface.

Example

# Enable MAC address consistency check in an ARP packet on Layer 2 interface Eth0/0/1.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] arp validate source-mac destination-mac

arp-fake expire-time

Function

The arp-fake expire-time command sets the aging time of temporary ARP entries.

The undo arp-fake expire-time command restores the default aging time of temporary ARP entries.

By default, the aging time of temporary ARP entries is 1 second.

Format

arp-fake expire-time expire-time

undo arp-fake expire-time

Parameters

Parameter Description Value
expire-time Specifies the aging time of temporary ARP entries. The value is an integer that ranges from 1 to 36000, in seconds.

Views

Ethernet interface view, GE interface view, Eth-Trunk interface view, VLANIF interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network.
  • In the aging time of temporary ARP entries:
    • Before receiving an ARP reply packet, the device discards the IP packets matching the temporary ARP entry and does not generate ARP Miss messages.
    • After receiving an ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
  • When temporary ARP entries age out, the device clears them. If no ARP entry matches the IP packets forwarded by the device, ARP Miss messages and temporary ARP entries are repeatedly generated

When a device undergoes an ARP Miss attack, you can run the arp-fake expire-time command to extend the aging time of temporary ARP entries to reduce the frequency of triggering ARP Miss messages and minimize the impact on the device.

Example

# Set the aging time of temporary ARP entries to 10 seconds on VLANIF10.
<Huawei> system-view
[Huawei] vlan 10
[Huawei-vlan10] quit
[Huawei] interface vlanif 10
[Huawei-Vlanif10] arp-fake expire-time 10

arp-limit

Function

The arp-limit command sets the maximum number of ARP entries that an interface can dynamically learn.

The undo arp-limit command deletes the maximum number of ARP entries that an interface can dynamically learn.

By default, the maximum number of ARP entries that an interface can dynamically learn is the maximum value that can be configured on the interface.

Format

VLANIF interface view

arp-limit maximummaximum

undo arp-limit

Other interface views

arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum maximum

undo arp-limit vlan vlan-id1 [ to vlan-id2 ]

Parameters

Parameter

Description

Value

vlan vlan-id1 [ to vlan-id2 ]

Specifies the ID of a VLAN from which the maximum number of ARP entries an interface can dynamically learn is limited.

  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1. vlan-id1 and vlan-id2 specify a range of VLANs. If to vlan-id2 is not specified, the device limits the maximum number of ARP entries an interface dynamically learns from the VLAN vlan-id1. If to vlan-id2 is specified, the device limits the maximum number of ARP entries an interface dynamically learns from each VLAN from vlan-id1 to vlan-id2.
The values of vlan-id1 and vlan-id2 are integers that range from 1 to 4094.
maximum maximum Specifies the maximum number of ARP entries that an interface can dynamically learn.
The value is an integer and the value range varies according to product models:
  • AR500&AR530 series: 1 to 2000
  • AR510 series: 1 to 1000

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent ARP entries from being exhausted by ARP attacks from a host connecting to an interface on the device, set the maximum number of ARP entries that the interface can dynamically learn. When the number of the ARP entries learned by a specified interface reaches the maximum number, no dynamic ARP entry can be added.

Precautions

If the number of ARP entries learned by an interface exceeds the maximum number, the device neither learns new ARP entries nor clears the learned ARP entries. Instead, the device asks users to delete the excess ARP entries.

Ethernet, GE, Eth-Trunk interfaces can work at Layer 3 or Layer 2. When they work at Layer 3, you cannot configure the VLAN ID. When they work at Layer 2, you must configure the VLAN ID.

If the arp-limit vlan vlan-id1 to vlan-id2 maximum maximum command is run more than once, the following situations are available:
  • If maximum maximum is the same in multiple command instances, all configurations take effect. For example, if the arp-limit vlan 10 to 30 maximum 200 command and then the arp-limit vlan 35 to 40 maximum 200 command are run, both configurations take effect. If the VLAN ranges specified in multiple command instances are overlapping, the system automatically merges the VLAN ranges. For example, if the arp-limit vlan 50 to 80 maximum 200 command and then the arp-limit vlan 70 to 100 maximum 200 command are run, both configurations take effect, and the system merges the configurations into arp-limit vlan 50 to 100 maximum 200.
  • If maximum maximum is different in multiple command instances, the latest configuration overrides the previous one for the same VLAN range. For example, if the arp-limit vlan 10 to 30 maximum 200 command and then the arp-limit vlan 15 to 25 maximum 300 command are run, the system automatically divides the configurations into arp-limit vlan 10 to 14 maximum 200, arp-limit vlan 15 to 25 maximum 300, and arp-limit vlan 26 to 30 maximum 200.

Example

# Configure that VLANIF 10 can dynamically learn a maximum of 20 ARP entries.
<Huawei> system-view
[Huawei] vlan 10
[Huawei-vlan10] quit
[Huawei] interface vlanif 10
[Huawei-Vlanif10] arp-limit maximum 20
# Configure that Eth0/0/1 can dynamically learn a maximum of 20 ARP entries corresponding to VLAN 10.
<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] arp-limit vlan 10 maximum 20
Related Topics

arp-miss anti-attack rate-limit

Function

The arp-miss anti-attack rate-limit command sets the maximum rate and rate limiting duration of ARP Miss messages.

The undo arp-miss anti-attack rate-limit command restores the default maximum rate and rate limiting duration of ARP Miss messages.

By default, the device can process a maximum of 100 ARP Miss messages per second.

Format

arp-miss anti-attack rate-limit packet-number [ interval-value ]

undo arp-miss anti-attack rate-limit

Parameters

Parameter

Description

Value

packet-number

Specifies the maximum rate of ARP Miss messages, that is, the number of ARP Miss messages the device processes in the rate limiting duration.

The value is an integer that ranges from 1 to 32768. The default value is 100.

interval-value

Specifies the rate limiting duration of ARP Miss messages.

The value is an integer that ranges from 1 to 86400, in seconds. The default value is 1 second.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP Miss messages is enabled, you can set maximum rate and rate limiting duration of ARP Miss messages. If the number of ARP Miss messages triggered by IP packets in the rate limiting duration exceeds the limit, the device does not process the excess ARP Miss packets and discards the IP packets triggering the excess ARP Miss messages.

Prerequisites

Rate limit on ARP Miss messages has been enabled using the arp-miss anti-attack rate-limit enable command.

Example

# Configure the device to process a maximum of 200 ARP Miss messages in 10 seconds.
<Huawei> system-view
[Huawei] arp-miss anti-attack rate-limit enable
[Huawei] arp-miss anti-attack rate-limit 200 10

arp-miss anti-attack rate-limit alarm enable

Function

The arp-miss anti-attack rate-limit alarm enable command enables the alarm function for ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit.

The undo arp-miss anti-attack rate-limit alarm enable command disables the alarm function for ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit.

By default, the alarm function is disabled.

Format

arp-miss anti-attack rate-limit alarm enable

undo arp-miss anti-attack rate-limit alarm enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP Miss messages is enabled, if you want that the device can generate alarms to notify the network administrator of a large number of discarded excess ARP Miss messages, run the arp-miss anti-attack rate-limit alarm enable command. When the number of discarded ARP Miss packets exceeds the alarm threshold, the device generates an alarm.

You can set the alarm threshold using the arp-miss anti-attack rate-limit alarm threshold command.

Prerequisites

Rate limit on ARP Miss messages has been enabled using the arp-miss anti-attack rate-limit enable command.

Precautions

After the arp-miss anti-attack rate-limit alarm enable command is run, you need to run the arp anti-attack log-trap-timer time command to set the interval for sending alarms.

Example

# Enable the alarm function for ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit.
<Huawei> system-view
[Huawei] arp-miss anti-attack rate-limit enable
[Huawei] arp-miss anti-attack rate-limit alarm enable

arp-miss anti-attack rate-limit alarm threshold

Function

The arp-miss anti-attack rate-limit alarm threshold command sets the alarm threshold for ARP Miss messages discarded when the rate of ARP Miss packets exceeds the limit.

By default, the alarm threshold for ARP Miss packets discarded is 100.

Format

arp-miss anti-attack rate-limit alarm threshold threshold

Parameters

Parameter

Description

Value

threshold

Specifies the alarm threshold for ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit.

The value is an integer that ranges from 1 to 32768.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can use the arp-miss anti-attack rate-limit alarm threshold command to set the alarm threshold. When the number of discarded ARP Miss packets exceeds the alarm threshold, the device generates an alarm.

Prerequisites

Rate limit on ARP Miss messages has been enabled using the arp-miss anti-attack rate-limit enable command, and the alarm function has been enabled using the arp-miss anti-attack rate-limit alarm enable command.

Example

# Enable rate limit on ARP Miss messages, enable the alarm function, and set the alarm threshold to 200.

<Huawei> system-view
[Huawei] arp-miss anti-attack rate-limit enable
[Huawei] arp-miss anti-attack rate-limit alarm enable
[Huawei] arp-miss anti-attack rate-limit alarm threshold 200

arp-miss anti-attack rate-limit enable

Function

The arp-miss anti-attack rate-limit enable command enables rate limit on ARP Miss messages.

The undo arp-miss anti-attack rate-limit enable command disables rate limit on ARP Miss messages.

By default, rate limit on ARP Miss messages is disabled.

Format

arp-miss anti-attack rate-limit enable

undo arp-miss anti-attack rate-limit enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device, that is, if the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route, the device triggers a large number of ARP Miss messages. IP packets triggering ARP Miss messages are sent to the control board for processing. The device generates a large number of temporary ARP entries and sends many ARP Request packets to the network, consuming a large number of CPU and bandwidth resources.

To avoid the preceding problems, configure rate limit on ARP Miss messages. The device collects statistics on ARP Miss messages. If the number of ARP Miss messages generated within the rate limiting duration exceeds the threshold (the maximum number of ARP Miss messages), the gateway discards the IP packets triggering the excess ARP Miss messages.

Follow-up Procedure

Run the arp-miss anti-attack rate-limit command to set the maximum rate and rate limiting duration of ARP Miss messages.

Example

# Enable rate limit on ARP Miss messages.
<Huawei> system-view
[Huawei] arp-miss anti-attack rate-limit enable

arp-miss speed-limit source-ip

Function

The arp-miss speed-limit source-ip command sets the maximum number of ARP Miss messages based on source IP addresses.

The undo arp-miss speed-limit source-ip command restores the default setting.

By default, the device processes a maximum of 5 ARP Miss messages triggered by IP packets from the same source IP address per second.

Format

arp-miss speed-limit source-ip [ ip-address ] maximum maximum

undo arp-miss speed-limit source-ip [ ip-address ]

Parameters

Parameter Description Value
ip-address

Specifies the source IP address. If this parameter is specified, the maximum number of ARP Miss messages triggered by packets from this IP address is limited.

If this parameter is not specified, the maximum number of ARP Miss messages triggered by packets from each IP address is limited.

The value is in dotted decimal notation.
maximum maximum

Specifies the maximum number of ARP Miss messages based on the source IP address.

NOTE:

If the maximum number of ARP Miss messages triggered by packets from each IP address is limited, a large value is recommended for this parameter because a small value may cause discarding of valid packets. However, a too large value will deteriorate the system performance.

If an IP address initiates attacks, you can set the maximum number of ARP Miss messages triggered by packets from this IP address to a small value.

The value is an integer that ranges from 0 to 32768.

If the value is 0, the maximum number of ARP Miss messages is not limited based on the source IP address.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the device considers that an attack is initiated from the source IP address. The administrator can use the arp-miss speed-limit source-ip command to set the maximum number of ARP Miss messages that the device can process within a specified duration, protecting the system resources and ensuring proper running of other services.

Example

# Set the maximum number of ARP Miss messages triggered by each source IP address per second to 60.

<Huawei> system-view
[Huawei] arp-miss speed-limit source-ip maximum 60

# Set the maximum number of ARP Miss messages triggered by the IP address 10.0.0.1 per second to 100, and set the maximum number of ARP Miss messages triggered by other source IP addresses per second to 60.

<Huawei> system-view
[Huawei] arp-miss speed-limit source-ip maximum 60
[Huawei] arp-miss speed-limit source-ip 10.0.0.1 maximum 100

display arp anti-attack check user-bind interface

Function

The display arp anti-attack check user-bind interface command displays the configuration of ARP packet check on an interface.

NOTE:

AR502G-L-D-H, and AR502GR-L-D-H do not support this command.

AR510 series does not support this command.

Format

display arp anti-attack check user-bind interface interface-type interface-number

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the type and number of an interface where ARP packets are checked. Where,
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display arp anti-attack check user-bind interface command to view the configuration of ARP packet check on an interface, including whether the function is enabled, check items, whether the alarm function is enabled for discarded ARP packets, alarm threshold, and number of discarded ARP packets.

Only after DAI and the alarm function are enabled, output of this command is displayed.

Example

# Display ARP check configuration on Eth0/0/1.

<Huawei> display arp anti-attack check user-bind interface ethernet 0/0/1
 arp anti-attack check user-bind enable
 arp anti-attack check user-bind alarm enable
 arp anti-attack check user-bind alarm threshold 50 
 ARP packet drop count = 0  
Table 14-92  Description of the display arp anti-attack check user-bind interface command output

Item

Description

arp anti-attack check user-bind enable

DAI has been enabled on an interface.

You can run the arp anti-attack check user-bind enable command to enable DAI.

arp anti-attack check user-bind alarm enable

The alarm function for ARP packets discarded by DAI has been enabled.

You can run the arp anti-attack check user-bind alarm enable command to enable the alarm function.

arp anti-attack check user-bind alarm threshold 50

Alarm threshold of discarded ARP packets matching no DHCP snooping binding entry.

You can run the arp anti-attack check user-bind alarm threshold command to set the alarm threshold.

ARP packet drop count

Number of discarded ARP packets matching no DHCP snooping binding entry.

display arp anti-attack configuration

Function

The display arp anti-attack configuration command displays the ARP anti-attack configuration.

Format

display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit | arp-speed-limit | arpmiss-speed-limit | entry-check | gateway-duplicate | packet-check | all }

Parameters

Parameter

Description

Value

arp-rate-limit

Displays the configuration of rate limit on ARP packets globally or on an interface.

-

arpmiss-rate-limit

Displays the configuration of rate limit on ARP Miss messages.

-

arp-speed-limit

Displays the configuration of rate limit on ARP packets based on the source IP address or source MAC address.

-

arpmiss-speed-limit

Displays the configuration of rate limit on ARP Miss messages based on the source IP address.

-

entry-check

Displays the ARP entry fixing mode.

-

gateway-duplicate

Displays whether gateway anti-collision is enabled.

-

packet-check

Displays whether ARP packet validity check is enabled.

-

all

Displays all ARP anti-attack configurations.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After all ARP anti-attack functions are configured, you can run this command to check all configurations.

Example

# Display the maximum rate and rate limiting duration of ARP packets based on the source IP address or source MAC address.

<Huawei> display arp anti-attack configuration arp-speed-limit
 ARP speed-limit for source-MAC configuration:                                  
 MAC-address         suppress-rate(pps)(rate=0 means function disabled)         
------------------------------------------------------------------------------- 
 0000-0000-0001      150                                                        
 Others              200                                                        
------------------------------------------------------------------------------- 
 1 specified MAC addresses are configured, spec is 256 items.                   
                                                                                
 ARP speed-limit for source-IP configuration:                                   
 IP-address          suppress-rate(pps)(rate=0 means function disabled)         
------------------------------------------------------------------------------- 
 10.0.0.20           50                                                         
 Others              100                                                        
------------------------------------------------------------------------------- 
 1 specified IP addresses are configured, spec is 512 items.                    
                                                             

# Display the maximum rate and rate limiting duration of ARP Miss messages based on the source IP address.

<Huawei> display arp anti-attack configuration arpmiss-speed-limit
 ARP miss speed-limit for source-IP configuration:                                   
 IP-address          suppress-rate(pps)(rate=0 means function disabled)         
------------------------------------------------------------------------------- 
 10.0.0.20           300                                                        
 Others              100                                                        
------------------------------------------------------------------------------- 
 1 specified IP addresses are configured, spec is 128 items. 

# Display the ARP entry fixing mode.

<Huawei> display arp anti-attack configuration entry-check
 ARP anti-attack entry-check mode: fixed-mac 

# Display all ARP anti-attack configurations.

<Huawei> display arp anti-attack configuration all
 ARP anti-attack packet-check function: enable                                  
                                                                                
 ARP anti-attack entry-check mode: disabled                                     
                                                                                
 ARP gateway-duplicate anti-attack function: disabled  
                                                                                
 ARP rate-limit configuration:                                                  
------------------------------------------------------------------------------- 
 Global configuration:                                                          
    arp anti-attack rate-limit enable                                           
 Interface configuration:                                                       
------------------------------------------------------------------------------- 
                                                                                
 ARP miss rate-limit configuration:                                             
------------------------------------------------------------------------------- 
 Global configuration:                                                          
    arp-miss anti-attack rate-limit enable                                      
------------------------------------------------------------------------------- 
                                                                                
 ARP speed-limit for source-MAC configuration:                                  
 MAC-address         suppress-rate(pps)(rate=0 means function disabled)         
------------------------------------------------------------------------------- 
 0000-0000-0001      200                                                        
 Others              100                                                        
------------------------------------------------------------------------------- 
 1 specified MAC addresses are configured, spec is 256 items.                   
                                                                                
 ARP speed-limit for source-IP configuration:                                   
 IP-address          suppress-rate(pps)(rate=0 means function disabled)         
------------------------------------------------------------------------------- 
 10.0.0.1            512                                                        
 Others              126                                                        
------------------------------------------------------------------------------- 
 1 specified IP addresses are configured, spec is 128 items.                    
                                                                                
 ARP miss speed-limit for source-IP configuration:                              
 IP-address          suppress-rate(pps)(rate=0 means function disabled)         
------------------------------------------------------------------------------- 
 10.134.23.6         400                                                        
 Others              500                                                        
------------------------------------------------------------------------------- 
 1 specified IP addresses are configured, spec is 128 items.                    
Table 14-93  Description of the display arp anti-attack configuration command output

Item

Description

ARP speed-limit for source-MAC configuration

Rate limit on ARP packets based on the source MAC address.

You can run the arp speed-limit source-mac command to configure rate limit on ARP packets based on the source MAC address.

ARP speed-limit for source-IP configuration

Rate limit on ARP packets based on the source IP address.

You can run the arp speed-limit source-ip command to configure rate limit on ARP packets based on the source IP address.

ARP anti-attack packet-check function

Whether MAC address consistency check in an ARP packet is enabled.

You can run the arp anti-attack packet-check sender-mac command to enable MAC address consistency check in an ARP packet.

ARP miss speed-limit for source-IP configuration

Rate limit on ARP Miss messages based on source IP addresses.

You can run the arp-miss speed-limit source-ip command to configure rate limit on ARP Miss messages based on the source IP address.

ARP anti-attack entry-check mode

ARP entry fixing mode.

You can run the arp anti-attack entry-check enable command to set the ARP entry fixing mode.

ARP gateway-duplicate anti-attack function:

Whether ARP gateway anti-collision is enabled.

You can run the arp anti-attack gateway-duplicate enable command to enable ARP gateway anti-collision.

ARP rate-limit configuration

Configuration of rate limit on ARP packets.

  • Global configuration indicates the global configuration of rate limit on ARP packets.

  • Interface configuration indicates the configuration of rate limit on ARP packets on an interface.

You can run the arp anti-attack rate-limit command to configure rate limit on ARP packets.

ARP miss rate-limit configuration

Configuration of rate limit on ARP Miss messages. Global configuration indicates the global configuration of rate limit on ARP Miss messages.

You can run the arp-miss anti-attack rate-limit command to configure rate limit on ARP Miss messages.

MAC-address

Rate limit on ARP packets based on a specified MAC address.
  • ALL indicates all MAC addresses.
  • Others indicates other MAC addresses except for the specified MAC address.

IP-address

Rate limit on ARP packets and ARP Miss messages based on a specified IP address.
  • ALL indicates all IP addresses.
  • Others indicates other IP addresses except for the specified IP address.

suppress-rate

Rate limit on ARP packets and ARP Miss messages.

display arp anti-attack gateway-duplicate item

Function

The display arp anti-attack gateway-duplicate item command displays ARP gateway anti-collision entries.

NOTE:

AR502G-L-D-H, and AR502GR-L-D-H do not support this command.

AR510 series does not support this command.

Format

display arp anti-attack gateway-duplicate item

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After ARP gateway anti-collision is enabled, you can run this command to view ARP anti-collision entries.

Example

# Display ARP gateway anti-collision entries.

<Huawei> display arp anti-attack gateway-duplicate item
 interface               IP address       MAC address     VLANID   aging time 
-------------------------------------------------------------------------------
 Ethernet2/0/0           10.1.1.1         0000-0000-0002  2        150
 Ethernet2/0/1           10.1.1.2         0000-0000-0004  2        170
-------------------------------------------------------------------------------
The number of record(s) in gateway conflict table is 2 
Table 14-94  Description of the display arp anti-attack gateway-duplicate item command output

Item

Description

interface

Inbound interface of ARP packets.

IP address

IP address of the gateway.

MAC address

Source MAC address of ARP packets.

VLANID

VLAN ID of ARP packets.

aging time

Aging time of entries.

display arp flood statistics

Function

The display arp flood statistics command displays the statistics on ARP Request packets of VLANIF interfaces in all super-VLANs.

Format

display arp flood statistics

Parameters

None

Views

All views

Default Level

2: Configuration level

Usage Guidelines

You can run this command to view the statistics on ARP Request packets of VLANIF interfaces in all super-VLANs.

Example

# Display the statistics on ARP Request packets of all the VLANIF interfaces in a super-VLAN.

<Huawei> display arp flood statistics
ARP request packets statistics on supervlan:
Total ARP request packets number :  5100 
Sent ARP request packets number :  4000
Dropped ARP request packets number:  1100
Table 14-95  Description of the display arp flood statistics command output

Item

Description

ARP request packets statistics on supervlan

Statistics on ARP Request packets in all super-VLANs.

Total ARP request packets number

Total number of ARP Request packets.

Sent ARP request packets number

Number of sent ARP Request packets.

Dropped ARP request packets number

Number of discarded ARP Request packets when the rate limit on broadcasting ARP Request packets is exceeded on VLANIF interface in all super-VLANs.

display arp learning strict

Function

The display arp learning strict command displays strict ARP learning globally and on all interfaces.

Format

display arp learning strict

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After strict ARP learning is configured, you can run this command to check the configuration.

Example

# Display strict ARP learning globally and on all interfaces.

<Huawei> display arp learning strict
The global configuration:arp learning strict
 Interface                           LearningStrictState
------------------------------------------------------------
 Vlanif100                           force-disable
 Vlanif200                           force-enable
------------------------------------------------------------
 Total:2
 Force-enable:1
 Force-disable:1
Table 14-96  Description of the display arp learning strict command output

Item

Description

The global configuration

Global strict ARP learning. The value arp learning strict indicates that strict ARP learning has been enabled. If the parameter is left blank, strict ARP learning is disabled.

You can run the arp learning strict (system view) command to enable strict ARP learning.

Interface

Interface name.

LearningStrictState

Strict ARP learning.
  • The value force-enable indicates that strict ARP learning is enabled.
  • The value force-disable indicates that strict ARP learning is disabled.

You can run the arp learning strict (interface view) command to enable strict ARP learning.

Total

Total number of interfaces to which strict ARP learning is applied.

Force-enable

Number of the interfaces on which strict ARP learning is enabled.

Force-disable

Number of the interfaces on which strict ARP learning is disabled.

display arp packet statistics

Function

The display arp packet statistics command displays the statistics on ARP packets.

Format

display arp packet statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To locate and rectify ARP faults, you can run this command to the statistics on ARP packets.

Example

# Display the statistics on ARP packets.

<Huawei> display arp packet statistics
ARP Pkt Received:   sum  10088                                                  
ARP Learnt Count:   sum     52                                                  
ARP Pkt Discard For Limit:   sum      0                                         
ARP Pkt Discard For SpeedLimit:   sum     31                                    
ARP Pkt Discard For Proxy Suppress:   sum    307                                
ARP Pkt Discard For Other:   sum   9274             
Table 14-97  Description of the display arp packet statistics command output

Item

Description

ARP Pkt Received

Number of the received ARP packets.

ARP Learnt Count

Times of ARP learning.

ARP Pkt Discard For Limit

Number of ARP packets discarded due to the ARP entry limit.

ARP Pkt Discard For SpeedLimit

Number of ARP packets discarded when the number of ARP packets from a specified source IP address exceeds the limit.

ARP Pkt Discard For Proxy Suppress

Number of packets discarded for the speed limit.

ARP Pkt Discard For Other

Number of the packets discarded due to other causes.

display arp-limit

Function

The display arp-limit command displays the maximum number of ARP entries that an interface can dynamically learn.

Format

display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ]

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the type and number of an interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

vlan vlan-id

Specifies a VLAN ID. This parameter is available only for Layer 2 interfaces.

The value is an integer that ranges from 1 to 4094.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the maximum number of ARP entries that an interface can dynamically learn is set, you can run this command to check the configuration.

If interface interface-type interface-number and vlan vlan-id are specified, you can view the maximum number of ARP entries that the specified interface can dynamically learn in the specified VLAN. If the two parameters are not specified, the maximum number of ARP entries that each interface can dynamically learn is displayed.

Example

# Display the number of ARP entries that each interface can dynamically learn.

<Huawei> display arp-limit
 Interface               LimitNum        VlanID          LearnedNum(Mainboard)
---------------------------------------------------------------------------
 Vlanif100               1000            0                  0 
 Ethernet0/0/1           16384           10                 0
---------------------------------------------------------------------------
 Total:2  
Table 14-98  Description of the display arp-limit command output

Item

Description

Interface

Interface name.

LimitNum

Maximum number of ARP entries that an interface can dynamically learn.

VlanID

ID of the VLAN that the interface belongs to.

LearnedNum(Mainboard)

Number of ARP entries that an interface has learned.

Related Topics

reset arp anti-attack statistics check user-bind

Function

The reset arp anti-attack statistics check user-bind command clears the statistics on discarded ARP packets matching no binding entry.

NOTE:

AR502G-L-D-H, and AR502GR-L-D-H do not support this command.

AR510 series does not support this command.

Format

reset arp anti-attack statistics check user-bind interface interface-type interface-number

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the type and number of an interface. Where,
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

User view

Default Level

2: Configuration level

Usage Guidelines

After DAI is enabled and some ARP packets matching no binding entry are discarded, you can run this command to clear the statistics on the discarded ARP packets.

Example

# Clear the statistics on discarded ARP packets on Eth0/0/1.

<Huawei> reset arp anti-attack statistics check user-bind interface ethernet 0/0/1

reset arp anti-attack statistics rate-limit

Function

The reset arp anti-attack statistics rate-limit command clears the statistics on ARP packets discarded when the rate of ARP packets exceeds the limit.

Format

reset arp anti-attack statistics rate-limit { global | interface interface-type interface-number }

Parameters

Parameter

Description

Value

global

Indicates that statistics on discarded ARP packets are cleared globally.

-

interface interface-type interface-number

Specifies the interface type and number. Where,
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

User view

Default Level

2: Configuration level

Usage Guidelines

After rate limit on ARP packets is enabled, the device discards the excess packets when the rate of ARP packets exceeds the limit. You can run this command to clear the statistics on the discarded ARP packets.

Example

# Clear the statistics on ARP packets discarded when the rate of ARP packets exceeds the limit globally.

<Huawei> reset arp anti-attack statistics rate-limit global

reset arp flood statistics

Function

The reset arp flood statistics command clears the statistics on ARP Request packets of VLANIF interfaces in all super-VLANs.

Format

reset arp flood statistics

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

After this command is run, the statistics on ARP Request packets of VLANIF interfaces in all super-VLANs are cleared and cannot be restored.

Example

# Clear the statistics on ARP Request packets of VLANIF interfaces in all super-VLANs is cleared.

<Huawei> reset arp flood statistics

reset arp packet statistics

Function

The reset arp packet statistics command clears the statistics on ARP packets.

Format

reset arp packet statistics

Parameters

None

Views

User view

Default Level

1: Monitoring level

Usage Guidelines

You can run the display arp packet statistics command to display the statistics on ARP packets. To obtain correct statistics, run the reset arp packet statistics command to clear existing statistics first.

The reset arp packet statistics command clears the ARP packet statistics only on the main control board.

Example

# Clear the statistics on all ARP packets.

<Huawei> reset arp packet statistics
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 92021

Downloads: 124

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next