No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ARP Security Configuration Commands

ARP Security Configuration Commands

arp anti-attack check user-bind check-item

Function

The arp anti-attack check user-bind check-item command configures check items for ARP packet check based on binding entries.

The undo arp anti-attack check user-bind check-item command restores the default check items.

By default, the check items consist of IP address, MAC address, and interface number.

NOTE:
CE6880EI does not support the command.

Format

arp anti-attack check user-bind check-item { ip-address | mac-address | interface } *

undo arp anti-attack check user-bind check-item

Parameters

Parameter Description Value
ip-address Indicates that the device checks IP addresses in ARP packets. -
mac-address Indicates that the device checks MAC addresses in ARP packets. -
interface Indicates that the device checks interface numbers in ARP packets. -

Views

VLAN view, VLAN-Range view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a device receives an ARP packet, it compares the source IP address, source MAC address, and interface number of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

To allow some special ARP packets that match only one or two items in binding entries to pass through, configure the device to check ARP packets according to one or two specified items in binding entries.

Prerequisites

DAI has been enabled using the arp anti-attack check user-bind enable command.

Precautions

Check items configured for ARP packet check based on binding entries do not take effect on hosts that are configured with static binding entries. These hosts check ARP packets based on all items in static binding entries.

Example

# Configure the device to check IP addresses in ARP packets from VLAN 100.

<HUAWEI> system-view
[~HUAWEI] vlan 100
[*HUAWEI-vlan100] arp anti-attack check user-bind enable
[*HUAWEI-vlan100] arp anti-attack check user-bind check-item ip-address

arp anti-attack check user-bind enable

Function

The arp anti-attack check user-bind enable command enables DAI. DAI enables the device to check ARP packets based on binding entries.

The undo arp anti-attack check user-bind enable command disables DAI.

By default, DAI is disabled.

NOTE:
CE6880EI does not support the command.

Format

arp anti-attack check user-bind enable

undo arp anti-attack check user-bind enable

Parameters

None

Views

VLAN view, VLAN-Range view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent MITM attacks and theft on authorized user information, run the arp anti-attack check user-bind enable command to enable DAI. When a device receives an ARP packet, it compares the source IP address, source MAC address, and interface number of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

Follow-up Procedure

Run the arp anti-attack check user-bind check-item command to configure check items for ARP packet check based on binding entries.

Precautions

When the protocol packet transparent transmission in a VLAN is enabled together with the DAI function, the protocol packet transparent transmission function does not take effect.

Example

# Enable DAI in VLAN 100.
<HUAWEI> system-view
[~HUAWEI] vlan 100
[*HUAWEI-vlan100] arp anti-attack check user-bind enable

arp anti-attack entry-check enable

Function

The arp anti-attack entry-check enable command enables ARP entry fixing.

The undo arp anti-attack entry-check enable command disables ARP entry fixing.

By default, ARP entry fixing is disabled.

Format

arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

undo arp anti-attack entry-check [ fixed-mac | fixed-all | send-ack ] enable

Parameters

Parameter Description Value
fixed-mac

Indicates ARP entry fixing in fixed-mac mode.

When receiving an ARP packet, the device discards the packet if the MAC address does not match the MAC address in the corresponding ARP entry. If the MAC address in the ARP packet matches that in the corresponding ARP entry while the interface number or VLAN ID does not match that in the ARP entry, the device updates the interface number or VLAN ID in the ARP entry.

-
fixed-all

Indicates ARP entry fixing in fixed-all mode.

When the MAC address, interface number, and VLAN ID of an ARP packet match those in the corresponding ARP entry, the device updates other information about the ARP entry.

-
send-ack

Indicates ARP entry fixing in send-ack mode.

When the device receives an ARP packet with a changed MAC address, interface number, or VLAN ID, it does not immediately update the corresponding ARP entry. Instead, the device sends a unicast ARP Request packet to the user with the IP address mapped to the original MAC address in the ARP entry, and then determines whether to change the MAC address, VLAN ID, or interface number in the ARP entry depending on the response from the user.

-

Views

System view, port group view, VLANIF interface view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To defend against ARP address spoofing attacks, enable ARP entry fixing. The fixed-mac, fixed-all, and send-ack modes are applicable to different scenarios and are mutually exclusive:
  • The fixed-mac mode applies to networks where user MAC addresses are unchanged but user access locations often change. When a user connects to a different interface on the device, the device updates interface information in the ARP entry of the user timely.
  • The fixed-all mode applies to networks where user MAC addresses and user access locations are fixed.
  • The send-ack mode applies to networks where user MAC addresses and user access locations often change.

Precautions

If you run the arp anti-attack entry-check enable command in the system view, ARP entry fixing is enabled on all interfaces. If you run the arp anti-attack entry-check enable command in the interface view, ARP entry fixing is enabled on the specified interface.

If ARP entry fixing is enabled globally and on an interface simultaneously, the configuration on the interface takes precedence over the global configuration.

Example

# Enable ARP entry fixing and specify the fixed-mac mode.
<HUAWEI> system-view
[~HUAWEI] arp anti-attack entry-check fixed-mac enable
# Enable ARP entry fixing and specify the fixed-mac mode on 10GE1/0/1.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1 
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] arp anti-attack entry-check fixed-mac enable

arp anti-attack gateway-duplicate enable

Function

The arp anti-attack gateway-duplicate enable command enables ARP gateway anti-collision.

The undo arp anti-attack gateway-duplicate enable command disables ARP gateway anti-collision.

By default, ARP gateway anti-collision is disabled.

Format

arp anti-attack gateway-duplicate [ check-all ] enable

undo arp anti-attack gateway-duplicate [ check-all ] enable

NOTE:

Only the CE6850HI, CE6850U-HI, CE6851HI, CE6855HI, CE6856HI, CE6860EI, CE6870EI, CE7850EI, CE7855EI, CE8850EI, and CE8860EI support the check-all parameter.

Parameters

Parameter Description Value
check-all

The check-all parameter enhances the ARP gateway anti-collision function. When the switch detects a bogus gateway, the gateway reports an alarm and sends a gratuitous ARP packet so that user hosts can update the ARP entries.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an attacker forges the gateway address to send ARP packets with the source IP address being the IP address of the gateway on the LAN, ARP entries on hosts in the LAN record the incorrect gateway address. As a result, all traffic from user hosts to the gateway is sent to the attacker and the attacker intercepts user information. Communication of users is interrupted. To defend against bogus gateways, you can enable the ARP bogus gateway attack defense function on gateways directly connected to the host.

When the following conditions are met and the check-all parameter is not specified, the switch considers that the IP address in the ARP packet conflicts with the gateway address:
  • The interface receiving the packet is a VLANIF or VBDIF interface.
  • The source IP address in the ARP packet is the same as the IP address of the interface that receives the packet.
  • The source MAC address in the Ethernet packet header and source MAC address in the ARP packet are different from the interface MAC address.
  • The source MAC address in the received packet is not a VRRP virtual MAC address.
In this situation, the switch generates ARP attack defense entries (the entries are not generated if the VRRP virtual MAC address is used), and discards the packets of which the VLAN IDs (or BDs) and source MAC addresses match the entries within a period of time. This prevents the ARP packets conflicting with the gateway address from being broadcast in the VLAN or BD.

If the check-all parameter is specified and the source IP address in a received ARP packet is the same as the local address, the switch considers that the ARP packet conflicts with the gateway address.

The check-all parameter enhances the ARP gateway anti-collision function. When the switch detects a bogus gateway, the gateway reports an alarm and sends a gratuitous ARP packet so that user hosts can update the ARP entries.

Precautions

A maximum of 100 ARP anti-attack entries can exist on the device at the same time if the check-all parameter is not specified. When the maximum number is exceeded, the device cannot prevent new ARP gateway collision attacks.

In the VXLAN centralized gateway scenario, the check-all parameter is not supported.

After the check-all parameter is specified in the VXLAN distributed gateway scenario, the switch checks only the user-side ARP packets.

Example

# Enable ARP gateway anti-collision.

<HUAWEI> system-view
[~HUAWEI] arp anti-attack gateway-duplicate enable

arp anti-attack gratuitous-arp drop

Function

The arp anti-attack gratuitous-arp drop command enables gratuitous ARP packet discarding.

The undo arp anti-attack gratuitous-arp drop command disables gratuitous ARP packet discarding.

By default, gratuitous ARP packet discarding is disabled.

Format

arp anti-attack gratuitous-arp drop

undo arp anti-attack gratuitous-arp drop

Parameters

None

Views

System view, port group view, VLANIF interface view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A host can send gratuitous ARP packets without any authorization, so any host can send gratuitous ARP packets, causing the following problems:
  • If a large number of gratuitous ARP packets are broadcast on the network, network devices cannot process valid ARP packets due to CPU overload.
  • If a device processes bogus gratuitous ARP packets, ARP entries are updated incorrectly, leading to communication interruptions.

To solve the preceding problems, enable gratuitous ARP packet discarding using the arp anti-attack gratuitous-arp drop command on the gateway.

Precautions

If the current interface is a Layer 2 interface, you must run the undo portswitch command first to switch the interface to Layer 3 mode.

If this function is enabled globally, it takes effect on all Layer 3 interfaces. If this function is enabled on an interface, it takes effect only on the current Layer 3 interface.

Example

# Enable gratuitous ARP packet discarding globally.

<HUAWEI> system-view
[~HUAWEI] arp anti-attack gratuitous-arp drop

# Enable gratuitous ARP packet discarding on VLANIF 10.

<HUAWEI> system-view
[~HUAWEI] vlan 10
[*HUAWEI-vlan10] quit
[*HUAWEI] interface vlanif 10
[*HUAWEI-Vlanif10] arp anti-attack gratuitous-arp drop
# Enable gratuitous ARP packet discarding on 10GE1/0/1.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1 
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] arp anti-attack gratuitous-arp drop

arp anti-attack log-trap-timer

Function

The arp anti-attack log-trap-timer command sets the interval for recording ARP logs and sending ARP alarms.

The undo arp anti-attack log-trap-timer command restores the default setting.

The default interval for recording ARP logs and sending alarms is 0, indicating that the device does not record ARP logs or send ARP alarms.

Format

arp anti-attack log-trap-timer time

undo arp anti-attack log-trap-timer

Parameters

Parameter Description Value
time Specifies the interval for recording ARP logs and sending ARP alarms. The value is an integer that ranges from 0 to 1200, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limiting on ARP packets or ARP Miss messages is enabled, if the number of ARP packets or ARP Miss messages the device receives in a specified period exceeds the limit, the device discards the excess ARP packets or ARP Miss messages. The device considers the excess ARP packets or ARP Miss messages as potential attacks. The device records ARP logs and sends ARP alarms indicating potential attacks to the NMS.

To avoid excessive alarms and logs when ARP attacks occur, reduce the alarm and log quantities by setting a proper interval for sending alarms and recording logs.

Precautions

In the insecure environment, you are advised to extend the interval for recording ARP logs and sending ARP alarms. This prevents excessive ARP logs and ARP alarms. In the secure environment, you are advised to shorten the interval for recording ARP logs and sending ARP alarms. This facilitates fault rectification in real time.

After the interval is set, the device discards ARP logs and alarms generates in this interval; therefore, some faults cannot be rectified in real time.

Example

# Set the interval for recording ARP logs and sending ARP alarms to 20 seconds.

<HUAWEI> system-view
[~HUAWEI] arp anti-attack log-trap-timer 20

arp anti-attack rate-limit

Function

The arp anti-attack rate-limit command sets the maximum rate of ARP packets globally, in a VLAN, or on an interface.

The undo arp anti-attack rate-limit command restores the default maximum rate of ARP packets globally, in a VLAN, or on an interface.

By default, the CE5800 sets the global ARP rate limit to 128 pps. That is, it allows a maximum of 128 ARP packets to pass per second. The default global ARP rate limit on other models is 0. That is, they do not limit the global rate of ARP packets. The default ARP rate limit in a VLAN or on an interface of all models is 0. That is, all models do not limit the ARP rate in a VLAN or on an interface.

Format

System view, VLAN view, VLAN-Range view

arp anti-attack rate-limit limit

undo arp anti-attack rate-limit

Interface view

arp anti-attack rate-limit limit

undo arp anti-attack rate-limit [ limit ]

NOTE:

The CE6870EI does not support this command in the interface view.

Parameters

Parameter

Description

Value

limit

Specifies the maximum rate of sending ARP packets, that is, the number of ARP packets allowed to pass through per second.

The value is an integer that ranges from 0 to 65536.

Views

System view, VLAN view, Eth-Trunk interface view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, port group view, VLAN-Range view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP packets is enabled, run the arp anti-attack rate-limit command to set the maximum rate of ARP packets. If the number of ARP packets received each second exceeds the limit, the device discards excess ARP packets.

Precautions

  • If the maximum rate is configured in the system view, VLAN view, and interface view at the same time, the device uses the configurations in the interface view, VLAN view, and system view in order.
  • After interface-based ARP rate limiting is configured, the device limits only the rate of ARP broadcast packets sent by this interface to the CPU, but does not limit the rate of ARP unicast packets or ARP packets forwarded by the device.
  • If the global ARP rate limit is too low and the login through Telnet fails because the device receives a large number of ARP attack packets, you can log in to the device through the Console port to increase the rate limit.

Example

# Configure VLAN 100 to allow 200 ARP packets to pass through in each second.
<HUAWEI> system-view
[~HUAWEI] vlan 100
[*HUAWEI-vlan100] arp anti-attack rate-limit 200

arp anti-attack rate-limit interface

Function

The arp anti-attack rate-limit interface command sets ARP rate limit for all interfaces.

The undo arp anti-attack rate-limit interface command cancels ARP rate limit for all interfaces.

By default, ARP rate limit on all interfaces is 0. That is, the ARP packet rate on all interface is not limited.

NOTE:

CE6870EI does not support this command.

Format

arp anti-attack rate-limit interface limit

undo arp anti-attack rate-limit interface [ limit ]

Parameters

Parameter

Description

Value

limit

Specifies the ARP rate limit for all interfaces, that is, the number of ARP packets that can pass every second.

The value is an integer that ranges from 0 to 65536.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When processing a large number of ARP packets, a device consumes many CPU resources and cannot process other services. To protect CPU resources of the device, limit the rate of ARP packets.

After the function of limiting ARP packet rate is enabled, you can run the arp anti-attack rate-limit interface command in the system view to set an ARP rate limit for all interfaces. If the number of ARP packets received by an interface within one second exceeds the limit, the device discards the excess ARP packets.

Precautions

  • After ARP rate limit is set in the system view for all interfaces, the device limits only the rate of ARP broadcast packets sent by this interface to the CPU, but does not limit the rate of ARP unicast packets or ARP packets forwarded by the device.

  • If the ARP rate limit set in the system view for all interfaces is too small, the device may discard valid ARP packets, causing a failure to log in to the device through Telnet. In this situation, you can log in to the device through the console port and change the ARP rate limit for all interfaces to an appropriate value.

  • If the arp anti-attack rate-limit command has been executed in the interface view and the arp anti-attack rate-limit interface command has been executed in the system view, the configuration in the interface view takes effect.

  • If the arp anti-attack rate-limit command has been executed in the system view, the rate limit specified in the command is the upper limit for the total number of ARP packets on all interfaces. If the arp anti-attack rate-limit interface command has been executed in the system view, the rate limit specified in the command is the upper limit for the number of ARP packets on each interface.

  • After ARP rate limiting is enabled on all interfaces, port-based automatic local attack defense for ARP does not take effect.

Example

# Set the ARP rate limit for all interfaces to 200.
<HUAWEI> system-view
[~HUAWEI] arp anti-attack rate-limit interface 200

arp gratuitous-arp send disable

Function

The arp gratuitous-arp send disable command disables an interface from periodically sending gratuitous Address Resolution Protocol (ARP) packets.

The undo arp gratuitous-arp send disable command restores the default configuration.

By default, an interface follows the configuration in the system view:
  • If a device is enabled to periodically send gratuitous ARP packets in the system view, the interface on the device also has this function enabled.
  • If a device is disabled from periodically sending gratuitous ARP packets in the system view, the interface on the device also has this function disabled.

Format

arp gratuitous-arp send disable

undo arp gratuitous-arp send disable

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a device has a lot of interfaces that are Up and have IP addresses configured, enabling the device to periodically send gratuitous ARP packets will consume excessive CPU resources, affecting services. To resolve this problem, run the arp gratuitous-arp send disable command on a specified interface to disable the interface from periodically sending gratuitous ARP packets.

After running the arp gratuitous-arp send disable command on an interface, if you want to enable the interface to periodically send gratuitous ARP packets again, run the undo arp gratuitous-arp send disable or arp gratuitous-arp send enable command on the interface. The two commands differ as follows:
  • After you run the undo arp gratuitous-arp send disable command, whether the interface periodically sends gratuitous ARP packets depends on the globally configured policy, which is configured by the arp gratuitous-arp send enable command. If the arp gratuitous-arp send enable command is not executed in the system view, the arp gratuitous-arp send disable command cannot be executed.
  • After you run the arp gratuitous-arp send enable command, the interface uses its own configuration to send gratuitous APR packets, no longer follows the global configuration.

Example

# Disable an interface from periodically sending gratuitous ARP packets.

<HUAWEI> system-view
[~HUAWEI] interface vlanif 10
[~HUAWEI-Vlanif10] arp gratuitous-arp send disable

arp gratuitous-arp send enable

Function

The arp gratuitous-arp send enable command enables gratuitous ARP packet sending.

The undo arp gratuitous-arp send enable command disables gratuitous ARP packet sending.

By default, gratuitous ARP packet sending is disabled.

Format

arp gratuitous-arp send enable

undo arp gratuitous-arp send enable

Parameters

None

Views

System view, interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an attacker forges the gateway address to send ARP packets to other user hosts, ARP entries on the hosts record the incorrect gateway address. As a result, the gateway cannot receive data sent from the hosts. You can enable gratuitous ARP packet sending on the gateway. Then the gateway sends gratuitous ARP packets at intervals to update the ARP entries of authorized users so that the ARP entries contain the correct MAC address of the gateway.

By default, the device sends a gratuitous ARP packet every 60 seconds after this function is enabled. You can also set the interval using the arp gratuitous-arp send interval command.

Precautions

After you run the arp gratuitous-arp send enable command in the system view, gratuitous ARP packet sending is enabled on all interfaces.

After you run the undo arp gratuitous-arp send enable command in the system view, gratuitous ARP packet sending is disabled on all interfaces.

After you enable gratuitous ARP packet sending in the system view, run the arp gratuitous-arp send disable command can disable an interface from periodically sending gratuitous Address Resolution Protocol (ARP) packets.

The periodic ARP packet sending function takes effect as follows:
  • If this function is enabled in both the system view and interface view, the configuration in the interface view takes precedence.
  • If this function is enabled only in the system view, the configuration in the system view takes effect.
  • If this function is enabled only in the interface view, the configuration in the interface view takes effect.

Example

# Enable gratuitous ARP packet sending on VLANIF 10.

<HUAWEI> system-view
[~HUAWEI] interface vlanif 10
[*HUAWEI-Vlanif10] arp gratuitous-arp send enable

arp gratuitous-arp send interval

Function

The arp gratuitous-arp send interval command sets the interval for sending gratuitous ARP packets.

The undo arp gratuitous-arp send interval command restores the default interval for sending gratuitous ARP packets.

By default, the interval for sending gratuitous ARP packets is 60 seconds.

Format

arp gratuitous-arp send interval interval-time

undo arp gratuitous-arp send interval [ interval-time ]

Parameters

Parameter

Description

Value

interval-time

Specifies the interval for sending gratuitous ARP packets.

The value is an integer that ranges from 1 to 86400, in seconds.

Views

System view, interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the device sends a gratuitous ARP packet every 60 seconds after gratuitous ARP sending is enabled. You can set the interval for sending gratuitous ARP packets using the arp gratuitous-arp send interval command.

  • If the interval is configured only in the system view, the configuration takes effect on all interfaces.
  • If the interval is configured in both the system and interface views, the configuration in the interface view takes precedence.

Prerequisites

Gratuitous ARP packet sending has been enabled using the arp gratuitous-arp send enable command.

Example

# Set the interval for sending gratuitous ARP packets to 100 seconds on VLANIF 10.

<HUAWEI> system-view
[~HUAWEI] interface vlanif 10
[*HUAWEI-Vlanif10] arp gratuitous-arp send enable
[*HUAWEI-Vlanif10] arp gratuitous-arp send interval 100

arp learning disable

Function

The arp learning disable command disables an interface from learning dynamic ARP entries.

The undo arp learning disable command enables an interface to learn dynamic ARP entries.

By default, an interface is enabled to learn dynamic ARP entries.

Format

arp learning disable

undo arp learning disable

Parameters

None

Views

port group view, Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To ensure security and facilitate management, you can enable an interface to learn or disable an interface from learning dynamic ARP entries. You can also use the arp learning strict (system view) or arp learning strict (interface view) commands to strictly control ARP entry learning on an interface.

Precautions

If an interface is disabled from learning ARP entries, the network will be interrupted.

If an interface has learned some dynamic ARP entries, the system does not delete these entries after the interface is disabled from learning dynamic ARP entries. You can manually delete or reserve these learned dynamic ARP entries (deleted by the reset arp command).

Example

# Disable VLANIF2 from learning dynamic ARP entries.

<HUAWEI> system-view
[~HUAWEI] vlan 2
[*HUAWEI-vlan2] quit
[*HUAWEI] interface vlanif 2
[*HUAWEI-Vlanif2] arp learning disable

# Disable 10GE1/0/1 from learning dynamic ARP entries.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] arp learning disable

arp learning strict (interface view)

Function

The arp learning strict command enables strict ARP learning on the interface.

The undo arp learning strict command restores the global configuration on the interface.

By default, strict ARP learning is disabled on the interface.

Format

arp learning strict { force-enable | force-disable | trust }

undo arp learning strict

Parameters

Parameter Description Value
force-enable Indicates that strict ARP learning is enabled. -
force-disable Indicates that strict ARP learning is disabled. -
trust Indicates that the configuration of strict ARP learning is the same as the global configuration.
NOTE:

The effect of the trust parameter is the same as the effect of the undo arp learning strict command.

-

Views

port group view, Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If many user hosts send a large number of ARP packets to a device simultaneously, or attackers send bogus ARP packets to the device, the following problems occur:
  • Processing ARP packets consumes many CPU resources. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.
  • After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a result, authorized users cannot communicate with each other.

To avoid the preceding problems, enable strict ARP learning on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself, but does not allow the device to learn the ARP entries for the ARP packets received from other devices. In this way, the device can defend against most ARP attacks.

Precautions

The configuration on an interface takes precedence over the global configuration.

When ARP attacks occur on many interfaces of the device, you can run the arp learning strict (system view) command to enable strict ARP learning globally.

Example

# Enable strict ARP learning on VLANIF 100.
<HUAWEI> system-view
[~HUAWEI] vlan 100
[*HUAWEI-vlan100] quit
[*HUAWEI] interface vlanif 100
[*HUAWEI-Vlanif100] arp learning strict force-enable
# Enable strict ARP learning on 10GE1/0/1.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] arp learning strict force-enable

arp learning strict (system view)

Function

The arp learning strict command enables strict ARP learning.

The undo arp learning strict command restores the default setting.

By default, strict ARP learning is disabled.

Format

arp learning strict

undo arp learning strict

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If many user hosts send a large number of ARP packets to a device simultaneously, or attackers send bogus ARP packets to the device, the following problems occur:
  • Processing ARP packets consumes many CPU resources. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.
  • After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a result, authorized users cannot communicate with each other.

To avoid the preceding problems, enable strict ARP learning on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. In this way, the device can defend against most ARP attacks.

Precautions

After strict ARP learning is enabled, all interfaces on the device update or add ARP entries strictly. When network devices change rapidly, global strict ARP learning lowers the speed of updating ARP entries. This impacts the network efficiency. To improve the network efficiency, you can run the arp learning strict force-enable command on a specified interface to enable strict ARP learning as required.

The configuration on an interface takes precedence over the global configuration.

Example

# Enable strict ARP learning.

<HUAWEI> system-view
[~HUAWEI] arp learning strict

arp anti-attack rate-limit destination-ip

Function

The arp anti-attack rate-limit destination-ip command sets the maximum rate of ARP packets based on the destination IP address.

The undo arp anti-attack rate-limit destination-ip command restores the default setting.

By default, the maximum rate of ARP packets sent to each destination IP address is set to 500 pps, that is, a maximum of 500 ARP packets with the same destination IP address are allowed to pass through per second.

Format

arp anti-attack rate-limit destination-ip maximum maximum

undo arp anti-attack rate-limit destination-ip

Parameters

Parameter Description Value
maximum maximum

Specifies the maximum rate of ARP packets from a specified destination IP address.

The value is an integer that ranges from 0 to 65536, in pps. If the value is 0, the rate of ARP packets is not limited based on the destination IP address.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When processing a large number of ARP packets with the same destination IP address, the CPU is overloaded and cannot process other services. To prevent this problem, limit the rate of ARP packets based on the destination IP address.

The device collects statistics on ARP packets with a specified destination IP address. If the number of received ARP packets with the specified destination IP address per second exceeds the threshold, the device discards the excess ARP packets.

Example

# Configure the device to allow a maximum of 300 ARP packets with the same destination IP address to pass through per second.

<HUAWEI> system-view
[~HUAWEI] arp anti-attack rate-limit destination-ip maximum 300

arp anti-attack rate-limit source-mac

Function

The arp anti-attack rate-limit source-mac command sets the maximum rate of ARP packets based on source MAC addresses.

The undo arp anti-attack rate-limit source-mac command restores the default setting.

By default, the maximum rate of ARP packets from each source MAC address is set to 0, that is, the rate of ARP packets is not limited based on source MAC addresses.

Format

arp anti-attack rate-limit source-mac [ mac-address ] maximum maximum

undo arp anti-attack rate-limit source-mac [ mac-address ]

Parameters

Parameter Description Value
mac-address

Specifies the source MAC address. If this parameter is specified, the rate of ARP packets from the MAC address is limited.

If this parameter is not specified, the rate of ARP packets from each MAC address is limited.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

maximum maximum

Specifies the maximum rate of ARP packets from a specified MAC address.

The value is an integer that ranges from 0 to 65536, in pps.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When processing a large number of ARP packets with fixed source MAC addresses but variable source IP addresses, the CPU is overloaded and ARP entries are exhausted. To prevent this problem, limit the rate of ARP packets based on source MAC addresses.

After the arp anti-attack rate-limit source-mac command is run, the device collects statistics on ARP packets from a specified source MAC address. If the number of ARP packets from a specified source IP address per second exceeds the threshold, the device discards the excess ARP packets.

Precautions

Limiting the rate of all ARP packets is not recommended. You are advised to find out the attack source according to packet statistics, and then limit the rate of ARP packets from the specified source MAC address.

Example

# Set the maximum rate of ARP packets from any source MAC address to 100 pps.

<HUAWEI> system-view
[~HUAWEI] arp anti-attack rate-limit source-mac maximum 100

# Set the maximum rate of ARP packets from a specified MAC address 0-0-1 to 50 pps.

<HUAWEI> system-view
[~HUAWEI] arp anti-attack rate-limit source-mac 0-0-1 maximum 50

arp anti-attack rate-limit source-ip

Function

The arp anti-attack rate-limit source-ip command sets the maximum rate of ARP packets based on the source IP address.

The undo arp anti-attack rate-limit source-ip command restores the default setting.

By default, the device allows a maximum of 30 ARP packets from the same source IP address to pass through per second.

Format

arp anti-attack rate-limit source-ip [ ip-address ] maximum maximum

undo arp anti-attack rate-limit source-ip [ ip-address ]

Parameters

Parameter Description Value
ip-address

Specifies the source IP address. If this parameter is specified, the rate of ARP packets from the IP address is limited.

If this parameter is not specified, the rate of ARP packets from each IP address is limited.

The value is in dotted decimal notation.
maximum maximum

Specifies the maximum rate of ARP packets from a specified source IP address.

NOTE:

If the rate of all ARP packets is limited, a large value is recommended because valid packets may be discarded if the value is small. However, a too large value will deteriorate the system performance. If an IP address initiates attacks, you can set the maximum number of ARP Miss messages triggered by packets from this IP address to a small value.

The value is an integer that ranges from 0 to 65536, in pps. If the value is 0, the rate of ARP packets is not limited based on the source IP address.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When processing a large number of ARP packets with fixed IP addresses (for example, the ARP packets with the same source IP addresses but frequently changing MAC addresses or outbound interfaces), the CPU is overloaded and cannot process other services. To prevent this problem, limit the rate of ARP packets based on the source IP address.

After the arp anti-attack rate-limit source-ip command is run, the device collects statistics on ARP packets based on the source IP address. If the number of ARP packets from a specified source IP address per second exceeds the threshold, the device discards the excess ARP packets.

Precautions

Limiting the rate of all ARP packets is not recommended. You are advised to find out the attack source according to packet statistics, and then limit the rate of ARP packets from the specified source IP address.

Example

# Set the maximum rate of ARP packets from a source IP address to 100 pps.

<HUAWEI> system-view
[~HUAWEI] arp anti-attack rate-limit source-ip maximum 100

# Set the maximum rate of ARP packets from a specified IP address 10.0.0.1 to 50 pps.

<HUAWEI> system-view
[~HUAWEI] arp anti-attack rate-limit source-ip 10.0.0.1 maximum 50

arp validate(interface view)

Function

The arp validate command enables MAC address consistency check in an ARP packet on an interface. This function compares the source and destination MAC addresses in ARP packets with those in the Ethernet frame header.

The undo arp validate command disables MAC address consistency check in an ARP packet on an interface.

By default, MAC address consistency check in an ARP packet is disabled.

Format

arp validate { source-mac | destination-mac } *

undo arp validate { source-mac | destination-mac } *

Parameters

Parameter Description Value
source-mac Indicates that the device compares the source MAC address in a received ARP packet with that in the Ethernet frame header. -
destination-mac Indicates that the device compares the destination MAC address in a received ARP packet with that in the Ethernet frame header. -

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, VBDIF interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

The MAC address consistency check function for ARP packets prevents attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header. This function is usually configured on gateways.

After the arp validate command is run, the gateway checks the MAC address consistency in an ARP packet before ARP learning. If the source and destination MAC addresses in an ARP packet are different from those in the Ethernet frame header, the device discards the packet as an attack. If the source and destination MAC addresses in an ARP packet are the same as those in the Ethernet frame header, the device performs ARP learning.

When using this command, note the following points:
  • If source-mac is specified:
    • When receiving an ARP Request packet, the device checks only the source MAC address consistency.
    • When receiving an ARP Reply packet, the device checks only the source MAC address consistency.
  • If destination-mac is specified:
    • When receiving an ARP Request packet, the device does not check the destination MAC address consistency because the ARP Request packet is broadcast.

    • When receiving an ARP Reply packet, the device checks the destination MAC address consistency.
  • If source-mac and destination-mac are specified:
    • When receiving an ARP Request packet, the device checks only the source MAC address consistency.
    • When receiving an ARP Reply packet, the device checks the source and destination MAC address consistency.

Example

# Enable MAC address consistency check in an ARP packet on Layer 2 interface 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] arp validate source-mac destination-mac
# Enable MAC address consistency check in an ARP packet on Layer 3 interface 10GE1/0/1.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1 
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] arp validate source-mac destination-mac

arp validate (system view)

Function

The arp validate command enables MAC address consistency check in an ARP packet globally. This function compares the source MAC addresses in ARP packets with those in the Ethernet frame header.

The undo arp validate command disables MAC address consistency check in an ARP packet globally.

By default, MAC address consistency check in an ARP packet is disabled.

Format

arp validate source-mac

undo arp validate source-mac

Parameters

Parameter Description Value
source-mac Indicates that the device compares the source MAC address in a received ARP packet with that in the Ethernet frame header. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

This function defends against attacks from bogus ARP packets in which the source MAC addresses are different from those in the Ethernet frame header.

After the arp validate command is run, the gateway checks the MAC address consistency in an ARP packet before ARP learning. If the source MAC addresses in an ARP packet are different from those in the Ethernet frame header, the device discards the packet as an attack. If the source MAC addresses in an ARP packet are the same as those in the Ethernet frame header, the device performs ARP learning.

Precautions

This command is used in the system view to enable the device to check source MAC address consistency in received ARP packets. Alternatively, you can run the arp validate command in the interface view to enable the interface to check source/destination MAC address consistency in received ARP packets. The two commands can take effect simultaneously. If the arp validate source-mac command is executed in the system view and the arp validate destination-mac command is executed in the interface view at the same time, the specified interface checks the source/destination MAC address consistency in ARP packets, while other interfaces on the device check only the source MAC address consistency in ARP packets.

Example

# Enable MAC address consistency check in an ARP packet globally.

<HUAWEI> system-view
[~HUAWEI] arp validate source-mac

arp fake timeout

Function

The arp fake timeout command sets the aging time of temporary ARP entries.

The undo arp fake timeout command restores the default aging time of temporary ARP entries.

By default, the aging time of temporary ARP entries is 5 seconds.

Format

arp fake timeout expire-time

undo arp fake timeout

Parameters

Parameter Description Value
expire-time Specifies the aging time of temporary ARP entries. The value is an integer that ranges from 1 to 36000, in seconds.

Views

port group view, Interface view

Default Level

2: Configuration level

Usage Guidelines

When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network.
  • In the aging time of temporary ARP entries:
    • Before receiving an ARP reply packet, the device discards the IP packets matching the temporary ARP entry and does not generate ARP Miss messages.
    • After receiving an ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
  • When temporary ARP entries age out, the device clears them. If no ARP entry matches the IP packets forwarded by the device, ARP Miss messages and temporary ARP entries are repeatedly generated

When a device undergoes an ARP Miss attack, you can run the arp fake timeout command to extend the aging time of temporary ARP entries to reduce the frequency of triggering ARP Miss messages and minimize the impact on the device.

Example

# Set the aging time of temporary ARP entries to 10 seconds on VLANIF10.
<HUAWEI> system-view
[~HUAWEI] vlan 10
[*HUAWEI-vlan10] quit
[*HUAWEI] interface vlanif 10
[*HUAWEI-Vlanif10] arp fake timeout 10
# Set the aging time of temporary ARP entries to 10 seconds on 10GE1/0/1.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] arp fake timeout 10

arp limit

Function

The arp limit command sets the maximum number of ARP entries that an interface can dynamically learn.

The undo arp limit command deletes the maximum number of ARP entries that an interface can dynamically learn.

By default, the maximum number of ARP entries that an interface can dynamically learn is the same as the number of ARP entries supported by the device.

Format

Layer 3 Ethernet interface, VBDIF interface and VLANIF interface:

arp limit maximum

undo arp limit

Layer 2 Ethernet interface:

arp limit [ vlan vlan-id1 [ to vlan-id2 ] ] maximum

undo arp limit [ vlan vlan-id1 [ to vlan-id2 ] ]

Port group:

arp limit [ vlan vlan-id1 [ to vlan-id2 ] ] maximum

undo arp limit [ vlan vlan-id1 [ to vlan-id2 ] ]

Parameters

Parameter

Description

Value

vlan vlan-id1 [ to vlan-id2 ]

Specifies the ID of a VLAN from which the maximum number of ARP entries an interface can dynamically learn is limited.

  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1. vlan-id1 and vlan-id2 specify a range of VLANs. If to vlan-id2 is not specified, the device limits the maximum number of ARP entries an interface dynamically learns from the VLAN vlan-id1. If to vlan-id2 is specified, the device limits the maximum number of ARP entries an interface dynamically learns from each VLAN from vlan-id1 to vlan-id2.
The values of vlan-id1 and vlan-id2 are integers that range from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.
maximum Specifies the maximum number of ARP entries that an interface can dynamically learn. The value is an integer that ranges from 1 to 1048576.

Views

port group view, Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent ARP entries from being exhausted by ARP attacks from a host connecting to an interface on the device, set the maximum number of ARP entries that the interface can dynamically learn. When the number of the ARP entries learned by a specified interface reaches the maximum number, no dynamic ARP entry can be added.

Precautions

If the number of ARP entries learned by an interface exceeds the maximum number, the device neither learns new ARP entries nor clears the learned ARP entries. Instead, the device asks users to delete the excess ARP entries.

GE, 10GE, 40GE, Eth-Trunk interfaces can work at Layer 3 or Layer 2. When they work at Layer 3, you cannot configure the VLAN ID. When they work at Layer 2, you must configure the VLAN ID.

If the arp limit vlan vlan-id1 [ to vlan-id2 ] maximum command is run more than once, the following situations are available:
  • If maximum is the same in multiple command instances, all configurations take effect. For example, if the arp limit vlan 10 to 30 200 command and then the arp limit vlan 35 to 40 200 command are run, both configurations take effect. If the VLAN ranges specified in multiple command instances are overlapping, the system automatically merges the VLAN ranges. For example, if the arp limit vlan 50 to 80 200 command and then the arp limit vlan 70 to 100 200 command are run, both configurations take effect, and the system merges the configurations into arp limit vlan 50 to 100 200.
  • If maximum is different in multiple command instances, the latest configuration overrides the previous one for the same VLAN range. For example, if the arp limit vlan 10 to 30 200 command and then the arp limit vlan 15 to 25 300 command are run, the system automatically divides the configurations into arp limit vlan 10 to 14 200, arp limit vlan 15 to 25 300, and arp limit vlan 26 to 30 200.

Example

# Configure that VLANIF 10 can dynamically learn a maximum of 20 ARP entries.
<HUAWEI> system-view
[~HUAWEI] vlan 10
[*HUAWEI-vlan10] quit
[*HUAWEI] interface vlanif 10
[*HUAWEI-Vlanif10] arp limit 20
# Configure that 10GE1/0/1 can dynamically learn a maximum of 20 ARP entries.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] arp limit 20
# Configure that 10GE1/0/1 can dynamically learn a maximum of 20 ARP entries corresponding to VLAN 10.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] arp limit vlan 10 20
Related Topics

arp limit alarm-threshold

Function

The arp limit alarm-threshold command sets an alarm threshold for the maximum number of dynamic ARP entries that an interface can learn.

The undo arp limit alarm-threshold command deletes an alarm threshold.

If the arp limit command is not run in the interface view, the maximum number of dynamic ARP entries that an interface can learn is not limited by default. If the arp limit command is run in the interface view, the alarm threshold is set to 80% by default.

NOTE:
The arp limit alarm-threshold command can be executed only on the CE6850HI, CE6850U-HI, CE6851HI, CE6855HI, CE6856HI, CE6860EI, CE6870EI, CE6880EI, CE7850EI, CE7855EI, CE8850EI, and CE8860EI.

Format

arp limit alarm-threshold threshold-value

undo arp limit alarm-threshold [ threshold-value ]

Parameters

Parameter Description Value
threshold-value Specifies an alarm threshold for the maximum number of dynamic ARP entries that an interface can learn. If the ratio of the number of dynamic ARP entries that an interface has learned to the maximum number of dynamic ARP entries that an interface can learn (configured using the arp limit command) reaches the specified threshold, an alarm is generated. The value is an integer ranging from 60 to 100, in percentage.

Views

VBDIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a device receives a large number of ARP packets from unauthorized users, the device learns a large number of ARP entries in a short period of time, causing a buffer overflow and interrupting services of authorized users. To resolve the problem, run the arp limit command to limit the maximum number of dynamic ARP entries that an interface can learn. This helps prevent a buffer overflow and ensures that the device runs properly. To set an alarm threshold, run the arp limit alarm-threshold command, so that an alarm is generated to prompt you to delete unwanted dynamic ARP entries when the number of ARP entries learned on an interface reaches the specified threshold.

Precautions

For the arp limit alarm-threshold command to take effect, the arp limit command also needs to be run.

  • If the arp limit command is not run, the arp limit alarm-threshold command does not take effect.
  • If the arp limit command is run but the arp limit alarm-threshold command is not run, the default setting (80%) of the arp limit alarm-threshold command is used.

Example

# Set the alarm threshold for the maximum number of dynamic ARP entries that a VBDIF interface can learn to 90%.

<HUAWEI> system-view
[~HUAWEI] bridge-domain 60
[*HUAWEI-bd60] quit
[*HUAWEI] interface vbdif 60
[*HUAWEI-Vbdif60] arp limit 300
[*HUAWEI-Vbdif60] arp limit alarm-threshold 90

arp miss anti-attack rate-limit

Function

The arp miss anti-attack rate-limit command sets the maximum rate of ARP Miss messages globally, in a VLAN, or on an interface.

The undo arp miss anti-attack rate-limit command restores the default maximum rate of ARP Miss messages globally, in a VLAN, or on an interface.

By default, the global rate limit on ARP Miss messages is 3000 packets per second. The rate limit on ARP Miss messages is 0 packet per second in a VLAN or on an interface, which indicates that the rate limit for ARP Miss messages is disabled in the VLAN.

Format

arp miss anti-attack rate-limit limit

undo arp miss anti-attack rate-limit

Parameters

Parameter

Description

Value

limit

Specifies the maximum rate of ARP Miss messages, that is, the number of ARP Miss messages the device processes per second.

The value is an integer that ranges from 0 to 65536.

Views

System view, VLAN view, VLAN-Range view, Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP Miss messages is enabled, you can set maximum rate of ARP Miss messages. If the number of ARP Miss messages triggered by IP packets per second exceeds the limit, the device does not process the excess ARP Miss packets and discards the IP packets triggering the excess ARP Miss messages.

Precautions

If rate limit on ARP Miss messages is configured in the system view, VLAN view, and interface view, the device uses the configurations in the interface view, VLAN view, and system view in order.

Example

# Configure the device to process a maximum of 200 ARP Miss messages per second globally.
<HUAWEI> system-view
[~HUAWEI] arp miss anti-attack rate-limit 200 
#Configure the device to process a maximum of 200 ARP Miss messages triggered by IP packets from Layer 3 interface 10GE1/0/1 per second.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] arp miss anti-attack rate-limit 200

arp miss anti-attack rate-limit source-ip

Function

The arp miss anti-attack rate-limit source-ip command sets the maximum number of ARP Miss messages based on source IP addresses.

The undo arp miss anti-attack rate-limit source-ip command restores the default setting.

By default, the device processes a maximum of 30 ARP Miss messages triggered by IP packets from the same source IP address per second.

Format

arp miss anti-attack rate-limit source-ip ip-address [ mask { mask-length | mask } ] maximum maximum

undo arp miss anti-attack rate-limit source-ip ip-address [ mask { mask-length | mask } ]

arp miss anti-attack rate-limit source-ip maximum maximum

undo arp miss anti-attack rate-limit source-ip

Parameters

Parameter Description Value
ip-address

Specifies the source IP address. If this parameter is specified, the maximum number of ARP Miss messages triggered by packets from this IP address is limited.

If this parameter is not specified, the maximum number of ARP Miss messages triggered by packets from each IP address is limited.

The value is in dotted decimal notation.
mask Indicates that the maximum number of ARP Miss messages triggered by packets from a network segment with the source IP address and mask specified is limited. -
mask-length Specifies the mask length of the source IP address. The value is an integer that ranges from 1 to 32.
mask Specifies the mask of the source IP address. The value is in dotted decimal notation.
maximum maximum

Specifies the maximum number of ARP Miss messages based on the source IP address.

NOTE:

If the maximum number of ARP Miss messages triggered by packets from each IP address is limited, a large value is recommended for this parameter because a small value may cause discarding of valid packets. However, a too large value will deteriorate the system performance.

If an IP address initiates attacks, you can set the maximum number of ARP Miss messages triggered by packets from this IP address to a small value.

The value is an integer that ranges from 0 to 65536.

If the value is 0, the maximum number of ARP Miss messages is not limited based on the source IP address.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the device considers that an attack is initiated from the source IP address. The administrator can use the arp miss anti-attack rate-limit source-ip command to set the maximum number of ARP Miss messages that the device can process within a specified duration, protecting the system resources and ensuring proper running of other services.

Example

# Set the maximum number of ARP Miss messages triggered by each source IP address per second to 60.

<HUAWEI> system-view
[~HUAWEI] arp miss anti-attack rate-limit source-ip maximum 60

# Set the maximum number of ARP Miss messages triggered by the IP address 10.0.0.1 per second to 100, and set the maximum number of ARP Miss messages triggered by other source IP addresses per second to 60.

<HUAWEI> system-view
[~HUAWEI] arp miss anti-attack rate-limit source-ip maximum 60
[*HUAWEI] arp miss anti-attack rate-limit source-ip 10.0.0.1 maximum 100

display arp anti-attack

Function

The display arp anti-attack command displays the ARP anti-attack configuration.

Format

display arp anti-attack { rate-limit | entry-check }

Parameters

Parameter Description Value
rate-limit Displays the configuration of rate limit on ARP packets. -
entry-check

Displays the ARP entry fixing mode.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After all ARP anti-attack functions are configured, you can run this command to check all configurations.

Example

# Display the rate limit of ARP packets.

<HUAWEI> display arp anti-attack rate-limit
Global ARP packet rate limit (pps)        : --                                  
Suppress Rate of each destination IP (pps): 2                                   
                                                                                
Total number of rate-limit configuration for VLAN : 1                           
VLAN               Suppress Rate(pps)                                           
------------------------------------------------------------------------------- 
100                              200                                            
------------------------------------------------------------------------------- 
Total number of rate-limit configuration for source IP Address : 1              
Source IP          Suppress Rate(pps)                                           
------------------------------------------------------------------------------- 
10.9.9.2                          10                                            
------------------------------------------------------------------------------- 
Total number of rate-limit configuration for MAC Address : 1                    
Source MAC         Suppress Rate(pps)                                           
------------------------------------------------------------------------------- 
0000-0000-0001                    10                                            
------------------------------------------------------------------------------- 
Table 16-72  Description of the display arp anti-attack rate-limit command output

Item

Description

Global ARP packet rate limit (pps)

Globally set rate limit of ARP packets.

You can run the arp anti-attack rate-limit command to configure rate limit on ARP packets globally.

VLAN

VLAN ID based on which the rate limit of ARP packets is set.

You can run the arp anti-attack rate-limit command to configure rate limit on ARP packets in a VLAN.

Suppress Rate of each destination IP (pps)

Destination IP address based on which the rate limit of ARP packets is set.

You can run the arp anti-attack rate-limit destination-ip command to set the maximum rate of ARP packets with a specified destination IP address.

Source IP

Source IP address based on which the rate limit of ARP packets is set.

You can run the arp anti-attack rate-limit source-ip command to configure rate limit on ARP packets based on the source IP address.

Source MAC

Source MAC address based on which the rate limit of ARP packets is set.

You can run the arp anti-attack rate-limit source-mac command to configure rate limit on ARP packets based on the source MAC address.

Suppress Rate(pps)

Rate limit on ARP packets.

# Displays fixed ARP modes.
<HUAWEI> display arp anti-attack entry-check
Interface           Mode  
-------------------------------------------------------------------------------  
10GE4/0/2           fix-mac                 
Other               fix-mac                
-------------------------------------------------------------------------------  
Table 16-73  Description of the display arp anti-attack entry-check command output

Item

Description

Interface

The interface on which fixed ARP is configured.

Mode

Specifies the fixed ARP mode.
  • fix-all: specifies the fixed-all mode of fixed ARP.
  • fix-mac: specifies the fixed-mac mode of fixed ARP.
  • send-ack: specifies the send-ack mode of fixed ARP.
  • no-fix: ARP entry fixing is disabled.

You can run the arp anti-attack entry-check enable command to set the ARP entry fixing mode.

display arp anti-attack record

Function

The display arp anti-attack record command displays detailed information about ARP packets discarded when the rate of ARP packets exceeds the limit.

Format

display arp anti-attack record

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After rate limit on ARP packets is enabled, the device collects statistics on received ARP packets in a specified period. If the number of ARP packets exceeds the limit, the device discards the excess ARP packets. To help locate faults, the device records detailed information about discarded ARP packets.

You can run this command to view detailed information about ARP packets discarded when the rate of ARP packets exceeds the limit.

Example

# Display detailed information about ARP packets discarded when the rate of ARP packets exceeds the limit.

<HUAWEI> display arp anti-attack record
Source IP       Destination IP  Interface                 Attack Time           
---------------------------------------------------------------------------     
10.1.115.234    10.1.1.1        298                       09-10 15:53:34  
10.1.115.235    10.1.1.1        298                       09-10 15:53:34  
10.1.115.236    10.1.1.1        298                       09-10 15:53:34  
10.1.115.237    10.1.1.1        298                       09-10 15:53:34  
10.1.115.238    10.1.1.1        298                       09-10 15:53:34  
10.1.115.239    10.1.1.1        298                       09-10 15:53:34  
---------------------------------------------------------------------------     
There are 6 records in ARP table          
Table 16-74  Description of the display arp anti-attack record command output

Item

Description

Source IP

Source IP address of discarded ARP packets.

Dest IP

Destination IP address of discarded ARP packets.

Interface

Interface where ARP packets are discarded.

Attack Time

Time when the ARP attack occurs.

NOTE:
ARP attack time is the time when the number of ARP packets received in a specified period exceeds the limit.

display arp anti-attack gateway-duplicate item

Function

The display arp anti-attack gateway-duplicate item command displays ARP gateway anti-collision entries.

Format

display arp anti-attack gateway-duplicate item

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After ARP gateway anti-collision is enabled, you can run this command to view ARP anti-collision entries.

Example

# Display ARP gateway anti-collision entries.

<HUAWEI> display arp anti-attack gateway-duplicate item
 Interface                      IP address      MAC address      Bridge type    Bridge id   Aging time                                                           
-----------------------------------------------------------------------------------------------------                                                           
 10GE1/0/1                      1.1.1.1         0019-7459-3303   VLAN           1           180                                                                  
-----------------------------------------------------------------------------------------------------                                                           
The number of record(s) in gateway conflict table is  1        
Table 16-75  Description of the display arp anti-attack gateway-duplicate item command output

Item

Description

Interface

Inbound interface of ARP packets.

IP address

IP address of the gateway.

MAC address

Source MAC address of ARP packets.

Bridge type

Broadcast domain type:
  • VLAN
  • BD

Bridge id

Broadcast domain ID corresponding to ARP packets.

Aging time

Aging time of entries.

display arp anti-attack gateway-duplicate information

Function

The display arp anti-attack gateway-duplicate information command displays ARP gateway anti-collision entries.

NOTE:

Only the CE6850HI, CE6850U-HI, CE6851HI, CE6855HI, CE6856HI, CE6860EI, CE6870EI, CE7850EI, CE7855EI, CE8850EI, and CE8860EI support this command.

Format

display arp anti-attack gateway-duplicate information

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After ARP gateway anti-collision is enabled and the check-all parameter is specified, you can run this command to view the ARP gateway anti-collision entries.

Example

# Display ARP gateway anti-collision entries.

<HUAWEI> display arp anti-attack gateway-duplicate information
Attack info on slot 1 :                                                                                                             
-------------------------------------------------------------------------------                                                     
Interface              IP Address        Attack Number        Expire Time(M)                                                        
-------------------------------------------------------------------------------                                                     
10GE1/0/5              10.1.1.1                  42762                 30                                                           
-------------------------------------------------------------------------------                                                     
Statistics(packets) on slot 1 :                                                                                                     
-------------------------------------------------------------------------------                                                     
PacketType               Total Passed        Total Dropped  Last Dropping Time                                                      
                    Last 5 Min Passed   Last 5 Min Dropped                                                                          
-------------------------------------------------------------------------------                                                     
ARP                          22977642          58447767448  2016-12-02 01:42:15                                                     
                               292370            796359099                                                                          
-------------------------------------------------------------------------------
Table 16-76  Description of the display arp anti-attack gateway-duplicate information command output

Item

Description

Attack info on slot 1

Information about attacks on the switch.

Interface

Layer 3 interface receiving the forging packets.

IP Address

IP address of the Layer 3 interface receiving the forging packets.

Attack Number

Number of received forging packets.

Expire Time(M)

Aging time of ARP entries.

Statistics(packets) on slot 1

Statistics on the packets sent to queues.

PacketType

Packet type.

Total Passed

Total number of passing packets.

Last 5 Min Passed

Number of packets passing in the last five minutes.

Total Dropped

Total number of dropped packets.

Last 5 Min Dropped

Number of packets dropped in the last five minutes.

Last Dropping Time

Last packet drop time.

display arp learning strict

Function

The display arp learning strict command displays strict ARP learning globally and on all interfaces.

Format

display arp learning strict

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After strict ARP learning is configured, you can run this command to check the configuration.

Example

# Display strict ARP learning globally and on all interfaces.

<HUAWEI> display arp learning strict
 The global arp learning strict state:enable
 Interface                           LearningStrictState
------------------------------------------------------------
 Vlanif100                           force-disable
 Vlanif200                           force-enable
------------------------------------------------------------
 Total:2     Force-enable:1     Force-disable:1
Table 16-77  Description of the display arp learning strict command output

Item

Description

The global arp learning strict state

Global strict ARP learning.

  • The value enable indicates that strict ARP learning is enabled.
  • The value disable indicates that strict ARP learning is disabled.

You can run the arp learning strict (system view) command to enable strict ARP learning.

Interface

Interface name.

LearningStrictState

Strict ARP learning.
  • The value force-enable indicates that strict ARP learning is enabled.
  • The value force-disable indicates that strict ARP learning is disabled.

You can run the arp learning strict (interface view) command to enable strict ARP learning.

Total

Total number of interfaces to which strict ARP learning is applied.

Force-enable

Number of the interfaces on which strict ARP learning is enabled.

Force-disable

Number of the interfaces on which strict ARP learning is disabled.

display arp packet statistics

Function

The display arp packet statistics command displays the statistics on ARP packets.

Format

display arp packet statistics [ interface [ interface-type interface-number ] ]

Parameters

Parameter Description Value
interface Displays the statistics about ARP packets sent and received by the Layer 3 interfaces.

If the interface parameter is not specified, the statistics on all ARP packets is displayed.

-
interface-type interface-number
Specifies the type and number of an interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

If the interface-type interface-number parameters are not specified, the ARP packet statistics sent and received by all Layer 3 interfaces is displayed.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To locate and rectify ARP faults, you can run this command to the statistics on ARP packets.

Example

# Display the statistics on ARP packets.

<HUAWEI> display arp packet statistics
ARP Packets Received
  Total:                       10989
  Learnt Count:                    0
  Discard For Entry Limit:         0
  Discard For Speed Limit:         0
  Discard For Proxy Suppress:      0
  Discard For Other:           10989
  MAC Invalid Count:            0
ARP Packets Sent 
  Total:                           0
  Request:                         0
  Reply:                           0
  Gratuitous ARP:                  0
ARP-Miss Message Received  
  Total:                           0
  Discard For Speed Limit:         0
  Discard For Other:               0
Table 16-78  Description of the display arp packet statistics command output

Item

Description

ARP Packets Received Total

Number of received ARP packets

ARP Packets Received Learnt Count

Number of learned ARP entries

ARP Packets Received Discard For Entry Limit

Number of packets discarded for the ARP limit

ARP Packets Received Discard For Speed Limit

Number of packets discarded for the speed limit

ARP Packets Received Discard For Proxy Suppress

Number of ARP packets discarded for the proxy suppression

ARP Packets Received Discard For Other

Number of packets discarded for other reasons

ARP Packets Received MAC Invalid Count

Number of packets that undergo MAC address inconsistency

ARP Packets Sent Total

Number of sent ARP packets

ARP Packets Sent Request

Number of sent ARP request packets

ARP Packets Sent Reply

Number of sent ARP reply packets

ARP Packets Sent Gratuitous ARP

Number of sent gratuitous ARP packets

ARP-Miss Message Received Total

Number of received ARP Miss messages

ARP-Miss Message Received Discard For Speed Limit

Number of ARP Miss messages discarded for speed limit

ARP-Miss Message Received Discard For Other

Number of ARP Miss messages discarded for other reasons

# Display the interfaces that send and receive ARP packets and the statistics about the ARP packets.
<HUAWEI> display arp packet statistics interface
Interface            R-request   R-reply  R-gratis  S-request   S-reply S-gratis
--------------------------------------------------------------------------------
10GE1/0/1                    5         0         3          0          0       0
Vlanif2                    100         0       100          0          5       5
Eth-Trunk2                 400       200       400         400       200     100
Table 16-79  Description of the display arp packet statistics interface command output

Item

Description

Interface

Interfaces that send and receive ARP packets

R-request

Number of ARP request packets received by an interface

R-reply

Number of ARP reply packets received by an interface

R-free

Number of gratuitous ARP packets received by an interface

S-request

Number of ARP request packets sent by an interface

S-reply

Number of ARP reply packets sent by an interface

S-free

Number of gratuitous ARP packets sent by an interface
# Display detailed statistics about ARP messages sent and received by a device.
<HUAWEI> display arp packet statistics interface 10ge 1/0/1
ARP Packets Received                                                            
  Request:                              22                                       
  Reply:                                0                                       
  Gratuitous ARP:                       6                                       
ARP Packets Sent                                                                
  Request:                              3                                       
  Reply:                                0                                       
  Gratuitous ARP:                       3                                       
ARP-Miss Message Received                                                       
  Total:                                0                                       
  Discard For Invalid Table:            0                                       
  Discard For Speed Limit:              0                                       
  Discard For Other:                    0
Table 16-80  Description of the display arp packet statistics interface 10ge 1/0/1 command output

Item

Description

ARP Packets Received

Number of ARP packets received
  • Request: number of ARP request packets
  • Reply: number of ARP reply packets
  • Gratuitous ARP: number of gratuitous ARP packets

ARP Packets Sent

Number of ARP packets sent
  • Request: number of ARP request packets
  • Reply: number of ARP reply packets
  • Gratuitous ARP: number of gratuitous ARP packets

ARP-Miss Message Received

Number of ARP Miss messages received
  • Total: total number of ARP Miss messages
  • Discard For Invalid Table: number of ARP Miss messages discarded due to invalid static ARP entries
  • Discard For Speed Limit: number of ARP Miss messages discarded due to rate limiting
  • Discard For Other: number of ARP Miss messages discarded due to other causes

display arp limit

Function

The display arp limit command displays the maximum number of ARP entries that an interface can dynamically learn.

Format

display arp limit [ interface interface-type interface-number ] [ vlan vlan-id ]

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the type and number of an interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the maximum number of ARP entries that an interface can dynamically learn is set, you can run this command to check the configuration.

If interface interface-type interface-number and vlan vlan-id are specified, you can view the maximum number of ARP entries that the specified interface can dynamically learn in the specified VLAN. If the two parameters are not specified, the maximum number of ARP entries that each interface can dynamically learn is displayed.

Example

# Display the number of ARP entries that each interface can dynamically learn.

<HUAWEI> display arp limit
 Interface                         VLAN       Limit      Learnt                                                                     
---------------------------------------------------------------------------  
 Vlanif100                            0        1000           0     
 10GE1/0/1                        16384          10           0 
---------------------------------------------------------------------------
 Total:2  
Table 16-81  Description of the display arp limit command output

Item

Description

Interface

Interface name.

VLAN

ID of the VLAN that the interface belongs to.

Limit

Maximum number of ARP entries that an interface can dynamically learn.

Learnt

Number of ARP entries that an interface has learned.

Related Topics

display arp miss anti-attack

Function

The display arp miss anti-attack command displays the ARP Miss anti-attack configuration.

Format

display arp miss anti-attack rate-limit

Parameters

Parameter Description Value
rate-limit Displays the configuration of rate limit on ARP Miss messages. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the rate limit of ARP Miss messages is set, run the display arp miss anti-attack rate-limit command to check the rate limit.

Example

# Displays the rate limit of ARP Miss messages.

<HUAWEI> display arp miss anti-attack rate-limit
Global ARP miss rate limit (pps)          : --                                                                                      

Total number of rate-limit configuration for VLAN : 1                           
VLAN               Suppress Rate(pps)                                           
-------------------------------------------------------------------------------                                                     
2                                500                                            
------------------------------------------------------------------------------- 
                                                                                
Total number of rate-limit configuration for source IP Address : 1              
Source IP          Suppress Rate(pps)                                           
------------------------------------------------------------------------------- 
10.4.4.4/32                      700                                            
------------------------------------------------------------------------------- 
Table 16-82  Description of the display arp miss anti-attack rate-limit command output

Item

Description

Global ARP miss rate limit (pps)

Globally set rate limit of ARP Miss messages.

You can run the arp miss anti-attack rate-limit command to configure rate limit on ARP Miss messages.

VLAN

VLAN ID based on which the rate limit of ARP Miss messages is set.

You can run the arp miss anti-attack rate-limit command to configure rate limit on ARP Miss messages.

Source IP

Source IP address based on which the rate limit of ARP Miss messages is set.

You can run the arp miss anti-attack rate-limit source-ip command to configure rate limit on ARP Miss messages based on the source IP address.

Suppress Rate(pps)

Rate limit on ARP Miss messages.

display arp miss anti-attack record

Function

The display arp miss anti-attack record command displays detailed information about ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit.

Format

display arp miss anti-attack record

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After rate limit on ARP Miss messages is enabled, the device collects statistics on received ARP Miss messages in a specified period. If the number of ARP Miss messages exceeds the limit, the device discards the excess ARP Miss messages. To help locate faults, the device records detailed information about discarded ARP Miss messages.

You can run this command to view detailed information about discarded ARP Miss messages.

Example

# Display detailed information about discarded ARP Miss messages.

<HUAWEI> display arp miss anti-attack record
Source IP       Destination IP  Interface                 Attack Time   
--------------------------------------------------------------------------------
10.1.1.2        10.1.2.247      10GE1/0/1                 09-10 16:06:04   
--------------------------------------------------------------------------------
There are 6 records in ARP miss table
Table 16-83  Description of the display arp miss anti-attack record command output

Item

Description

Source IP

Source IP address of discarded ARP Miss messages.

Destination IP

Destination IP address of discarded ARP Miss messages.

Interface

Interface where ARP Miss messages are discarded.

Attack Time

Time when the ARP Miss attack occurs.

NOTE:
ARP Miss attack time is the time when the number of ARP Miss messages received in a specified period exceeds the limit.

reset arp anti-attack record

Function

The reset arp anti-attack record command clears detailed information about ARP packets discarded when the rate of ARP packets exceeds the limit.

Format

reset arp anti-attack record

Parameters

None

Views

User view

Default Level

2: Configuration level

Usage Guidelines

After rate limit on ARP packets is enabled, the device collects statistics on received ARP packets in a specified period. If the number of ARP packets exceeds the limit, the device discards the excess ARP packets. To help locate faults, the device records detailed information about discarded ARP packets.

You can run the reset arp anti-attack record command to clear detailed information about discarded ARP packets to release system storage resources.

Example

# Clear detailed information about ARP packets discarded when the rate of ARP packets exceeds the limit.

<HUAWEI> reset arp anti-attack record

reset arp packet statistics

Function

The reset arp packet statistics command clears the statistics on ARP packets.

Format

reset arp packet statistics [ interface [ interface-type interface-number ] ]

Parameters

Parameter Description Value
interface Clears the statistics about ARP packets sent and received by the Layer 3 interfaces.

If the interface parameter is not specified, the statistics on all ARP packets is cleared.

-
interface-type interface-number
Specifies the type and number of an interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

If the interface-type interface-number parameters are not specified, the ARP packet statistics sent and received by all Layer 3 interfaces is cleared.

-

Views

User view

Default Level

2: Configuration level

Usage Guidelines

You can run the display arp packet statistics command to display the statistics on ARP packets. To obtain correct statistics, run the reset arp packet statistics command to clear existing statistics first.

Example

# Clear the statistics on all ARP packets.

<HUAWEI> reset arp packet statistics

reset arp miss anti-attack record

Function

The reset arp miss anti-attack record command clears detailed information about ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit.

Format

reset arp miss anti-attack record

Parameters

None

Views

User view

Default Level

2: Configuration level

Usage Guidelines

After rate limit on ARP Miss messages is enabled, the device collects statistics on received ARP Miss messages in a specified period. If the number of ARP Miss messages exceeds the limit, the device discards the excess ARP Miss messages. To help locate faults, the device records detailed information about discarded ARP Miss messages.

You can run the reset arp miss anti-attack record command to clear detailed information about discarded ARP Miss messages to release system storage resources.

Example

# Clear information about discarded ARP Miss messages.

<HUAWEI> reset arp miss anti-attack record
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 43905

Downloads: 330

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next