No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ARP Security Configuration Commands

ARP Security Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

arp anti-attack check user-bind alarm enable

Function

The arp anti-attack check user-bind alarm enable command enables the alarm function for ARP packets discarded by DAI.

The undo arp anti-attack check user-bind alarm enable command disables the alarm function for ARP packets discarded by DAI.

By default, the alarm function for ARP packets discarded by DAI is disabled.

Format

arp anti-attack check user-bind alarm enable

undo arp anti-attack check user-bind alarm enable

Parameters

None

Views

Ethernet interface view, GE interface view, 40GE interface view, XGE interface view, MultiGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After DAI is enabled, if you want to receive an alarm when a large number of ARP packets are discarded by DAI, you can run the arp anti-attack check user-bind alarm enable command. After the alarm function is enabled, the device sends an alarm when the number of discarded ARP packets exceeds the threshold.

The alarm threshold is set by the arp anti-attack check user-bind alarm threshold command.

Prerequisites

DAI has been enabled on the interface using the arp anti-attack check user-bind enable command.

Example

# Enable the alarm function for ARP packets discarded by DAI on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm enable

arp anti-attack check user-bind alarm threshold

Function

The arp anti-attack check user-bind alarm threshold command sets the alarm threshold for ARP packets discarded by DAI.

The undo arp anti-attack check user-bind alarm threshold command restores the default alarm threshold for ARP packets discarded by DAI.

By default, the alarm threshold for ARP packets discarded by DAI is 100.

Format

arp anti-attack check user-bind alarm threshold threshold

undo arp anti-attack check user-bind alarm threshold

Parameters

Parameter Description Value
threshold Specifies the alarm threshold for the ARP packets discarded by DAI. The value is an integer that ranges from 1 to 1000.

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can use this command to set the alarm threshold for ARP packets discarded by DAI. After the alarm threshold is set, the device sends an alarm when the number of ARP packets discarded by DAI exceeds this threshold.

Prerequisites

DAI has been enabled using the arp anti-attack check user-bind enable command in the interface view, and the alarm function for ARP packets discarded by DAI has been enabled using the arp anti-attack check user-bind alarm enable command.

Precautions

The arp anti-attack check user-bind alarm threshold command takes effect in the system view only when DAI and the alarm function for ARP packets discarded by DAI are enabled on the interface. The global alarm threshold takes effect on all interfaces enabled with the two functions.

If the alarm thresholds are set in the interface view and system view, the alarm threshold configured in the interface view takes effect. If the alarm threshold on an interface is not configured, the global alarm threshold is used.

Example

# Set the alarm threshold for ARP packets discarded by DAI on GE0/0/1 to 200.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm threshold 200

arp anti-attack check user-bind check-item (interface view)

Function

The arp anti-attack check user-bind check-item command configures check items for ARP packet check based on binding entries on an interface.

The undo arp anti-attack check user-bind check-item command restores the default check items.

By default, the check items consist of IP address, MAC address, and VLAN ID.

Format

arp anti-attack check user-bind check-item { ip-address | mac-address | vlan } *

undo arp anti-attack check user-bind check-item

Parameters

Parameter Description Value
ip-address Indicates that the device checks IP addresses in ARP packets. -
mac-address Indicates that the device checks MAC addresses in ARP packets. -
vlan Indicates that the device checks VLAN IDs in ARP packets. -

Views

Ethernet interface view, GE interface view, 40GE interface view, XGE interface view, MultiGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a device receives an ARP packet, it compares the source IP address, source MAC address, and VLAN ID of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

To allow some special ARP packets that match only one or two items in binding entries to pass through, use the arp anti-attack check user-bind check-item command to configure the device to check ARP packets according to one or two specified items in binding entries.

Prerequisites

DAI has been enabled on the interface using the arp anti-attack check user-bind enable command.

Precautions

Check items configured for ARP packet check based on binding entries do not take effect on hosts that are configured with static binding entries. These hosts check ARP packets based on all items in static binding entries.

Example

# Configure GE0/0/1 to check IP addresses in ARP packets.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind check-item ip-address

arp anti-attack check user-bind check-item (VLAN view)

Function

The arp anti-attack check user-bind check-item command configures check items for ARP packet check based on binding entries in a VLAN.

The undo arp anti-attack check user-bind check-item command restores the default check items.

By default, the check items consist of IP address, MAC address, and interface number.

Format

arp anti-attack check user-bind check-item { ip-address | mac-address | interface } *

undo arp anti-attack check user-bind check-item

Parameters

Parameter Description Value
ip-address Indicates that the device checks IP addresses in ARP packets. -
mac-address Indicates that the device checks MAC addresses in ARP packets. -
interface Indicates that the device checks interface numbers in ARP packets. -

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a device receives an ARP packet, it compares the source IP address, source MAC address, and interface number of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

To allow some special ARP packets that match only one or two items in binding entries to pass through, configure the device to check ARP packets according to one or two specified items in binding entries.

Prerequisites

DAI has been enabled in the VLAN using the arp anti-attack check user-bind enable command.

Precautions

Check items configured for ARP packet check based on binding entries do not take effect on hosts that are configured with static binding entries. These hosts check ARP packets based on all items in static binding entries.

Example

# Configure the device to check IP addresses in ARP packets from VLAN 100.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] arp anti-attack check user-bind enable
[HUAWEI-vlan100] arp anti-attack check user-bind check-item ip-address

arp anti-attack check user-bind enable

Function

The arp anti-attack check user-bind enable command enables DAI on an interface or in a VLAN. DAI enables the device to check ARP packets based on binding entries.

The undo arp anti-attack check user-bind enable command disables DAI on an interface or in a VLAN.

By default, DAI is disabled on an interface or in a VLAN.

Format

arp anti-attack check user-bind enable

undo arp anti-attack check user-bind enable

Parameters

None

Views

VLAN view, Ethernet interface view, GE interface view, 40GE interface view, XGE interface view, MultiGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent MITM attacks and theft on authorized user information, run the arp anti-attack check user-bind enable command to enable DAI. When a device receives an ARP packet, it compares the source IP address, source MAC address, VLAN ID, and interface number of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

You can enable DAI in the interface view or the VLAN view. When DAI is enabled in an interface view, the device checks all ARP packets received on the interface against binding entries. When DAI is enabled in the VLAN view, the device checks ARP packets received on interfaces belong to the VLAN based on binding entries.

Follow-up Procedure

Run the arp anti-attack check user-bind check-item (interface view) or arp anti-attack check user-bind check-item (VLAN view) command to configure check items for ARP packet check based on binding entries.

Precautions

When resources are sufficient, DAI can be enabled in a maximum of 10 VLANs.

Example

# Enable DAI on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind enable
# Enable DAI in VLAN 100.
<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] arp anti-attack check user-bind enable

arp anti-attack entry-check enable

Function

The arp anti-attack entry-check enable command enables ARP entry fixing.

The undo arp anti-attack entry-check enable command disables ARP entry fixing.

By default, ARP entry fixing is disabled.

Format

arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

undo arp anti-attack entry-check [ fixed-mac | fixed-all | send-ack ] enable

Parameters

Parameter Description Value
fixed-mac

Indicates ARP entry fixing in fixed-mac mode.

When receiving an ARP packet, the device discards the packet if the MAC address does not match the MAC address in the corresponding ARP entry. If the MAC address in the ARP packet matches that in the corresponding ARP entry while the interface number or VLAN ID does not match that in the ARP entry, the device updates the interface number or VLAN ID in the ARP entry.

-
fixed-all

Indicates ARP entry fixing in fixed-all mode.

When the MAC address, interface number, and VLAN ID of an ARP packet match those in the corresponding ARP entry, the device updates other information about the ARP entry.

-
send-ack

Indicates ARP entry fixing in send-ack mode.

When the device receives an ARP packet with a changed MAC address, interface number, or VLAN ID, it does not immediately update the corresponding ARP entry. Instead, the device sends a unicast ARP Request packet to the user with the IP address mapped to the original MAC address in the ARP entry, and then determines whether to change the MAC address, VLAN ID, or interface number in the ARP entry depending on the response from the user.

-

Views

System view, VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To defend against ARP address spoofing attacks, enable ARP entry fixing. The fixed-mac, fixed-all, and send-ack modes are applicable to different scenarios and are mutually exclusive:
  • The fixed-mac mode applies to networks where user MAC addresses are unchanged but user access locations often change. When a user connects to a different interface on the device, the device updates interface information in the ARP entry of the user timely.
  • The fixed-all mode applies to networks where user MAC addresses and user access locations are fixed.
  • The send-ack mode applies to networks where user MAC addresses and user access locations often change.

Precautions

After ARP entry fixing is enabled, the function that updates ARP entries when MAC address entries change (configured by the mac-address update arp command) becomes invalid.

In send-ack mode, the device can record a maximum of 100 ARP entries in the ARP Request packets intended to trigger ARP entry modification.

If you run the arp anti-attack entry-check enable command in the system view, ARP entry fixing is enabled on all interfaces. If you run the arp anti-attack entry-check enable command in the interface view, ARP entry fixing is enabled on the specified interface.

If ARP entry fixing is enabled globally and on a VLANIF interface simultaneously, the configuration on the VLANIF interface takes precedence over the global configuration.

Example

# Enable ARP entry fixing and specify the fixed-mac mode.
<HUAWEI> system-view
[HUAWEI] arp anti-attack entry-check fixed-mac enable

arp anti-attack gateway-duplicate enable

Function

The arp anti-attack gateway-duplicate enable command enables ARP gateway anti-collision.

The undo arp anti-attack gateway-duplicate enable command disables ARP gateway anti-collision.

By default, ARP gateway anti-collision is disabled.

NOTE:

Only the S5720HI, S5720EI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this command.

Format

arp anti-attack gateway-duplicate enable

undo arp anti-attack gateway-duplicate enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an attacker forges the gateway address to send ARP packets with the source IP address being the IP address of the gateway on the LAN, ARP entries on hosts in the LAN record the incorrect gateway address. As a result, all traffic from user hosts to the gateway is sent to the attacker and the attacker intercepts user information. Communication of users is interrupted.

To prevent bogus gateway attacks, enable ARP gateway anti-collision on the gateway using the arp anti-attack gateway-duplicate enable command. The gateway considers that a gateway collision occurs when a received ARP packet meets either of the following conditions:
  • The source IP address in the ARP packet is the same as the IP address of the VLANIF interface matching the physical inbound interface of the packet.
  • The source IP address in the ARP packet is the virtual IP address of the inbound interface but the source MAC address in the ARP packet is not the virtual MAC address of the VRRP group.
The device generates an ARP anti-collision entry and discards the received packets with the same source MAC address and VLAN ID in a specified period. This function prevents ARP packets with the bogus gateway address from being broadcast in a VLAN.

Precautions

A maximum of 100 ARP anti-attack entries exist on the device at the same time. When the maximum number is exceeded, the device cannot prevent new ARP gateway collision attacks.

Example

# Enable ARP gateway anti-collision.

<HUAWEI> system-view
[HUAWEI] arp anti-attack gateway-duplicate enable

arp anti-attack log-trap-timer

Function

The arp anti-attack log-trap-timer command sets the interval for sending ARP alarms.

The undo arp anti-attack log-trap-timer command restores the default setting.

The default interval for sending alarms is 0, indicating that the device does not send ARP alarms.

Format

arp anti-attack log-trap-timer time

undo arp anti-attack log-trap-timer

Parameters

Parameter Description Value
time Specifies the interval for sending ARP alarms. The value is an integer that ranges from 0 to 1200, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limiting on ARP packets based on source IP addresses is enabled, if the number of ARP packets the device receives per second exceeds the limit, the device discards the excess ARP packets. The device considers the excess ARP packets as potential attacks. The devicesends ARP alarms indicating potential attacks to the NMS. To avoid excessive alarms when ARP attacks occur, reduce the alarm quantity by setting a proper interval for sending alarms.

Precautions

In the insecure environment, you are advised to extend the interval for sending ARP alarms. This prevents excessive ARP alarms. In the secure environment, you are advised to shorten the interval for sending ARP alarms. This facilitates fault rectification in real time.

After the interval is set, the device discards alarms generates in this interval; therefore, some faults cannot be rectified in real time.

The command takes effect only on the alarm for ARP rate limit based on source IP addresses (corresponding to arp speed-limit source-ip). The other ARP alarms are generated at a fixed interval of 5 seconds.

Example

# Set the interval for sending ARP alarms to 20 seconds.

<HUAWEI> system-view
[HUAWEI] arp anti-attack log-trap-timer 20

arp anti-attack packet-check

Function

The arp anti-attack packet-check command enables ARP packet validity check and specifies check items.

The undo arp anti-attack packet-check command disables ARP packet validity check.

By default, ARP packet validity check is disabled.

Format

arp anti-attack packet-check { ip | dst-mac | sender-mac } *

undo arp anti-attack packet-check [ ip | dst-mac | sender-mac ] *

Parameters

Parameter Description Value
ip Indicates ARP packet validity check based on the IP address. -
dst-mac Indicates ARP packet validity check based on the destination MAC address. -
sender-mac Indicates ARP packet validity check based on the source MAC address. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To avoid ARP attacks, you can use the arp anti-attack packet-check command to enable ARP packet validity check on an access device or a gateway to filters out ARP packets with invalid IP addresses or MAC addresses. The device checks validity of an ARP packet based on each or any combination of the following items:

  • Source and destination IP addresses: The device checks the source and destination IP addresses in an ARP packet. If the source or destination IP address is all 0s, all 1s, or a multicast IP address, the device discards the packet as an invalid packet. The device checks both the source and destination IP addresses in an ARP Reply packet but checks only the source IP address in an ARP Request packet.

  • Source MAC address: The device compares the source MAC address in an ARP packet with that in the Ethernet frame header. If they are the same, the packet is valid. If they are different, the device discards the packet.

  • Destination MAC address: The device compares the destination MAC address in an ARP packet with that in the Ethernet frame header. If they are the same, the packet is valid. If they are different, the device discards the packet.

Precautions

Generally, packets with different source and destination MAC addresses in the ARP packet and Ethernet frame header are allowed by the ARP protocol. When an attack occurs, capture and analyze packets. If the attack is initiated by using inconsistent source or destination MAC addresses in the ARP packet and Ethernet frame header, enable ARP packet validity check based on the source or destination MAC address.

If you run the arp anti-attack packet-check sender-mac command multiple times, all the check items specified in these commands take effect.

Example

# Enable ARP packet validity check and configures the device to check the source MAC address in an ARP packet.

<HUAWEI> system-view
[HUAWEI] arp anti-attack packet-check sender-mac

arp anti-attack rate-limit

Function

The arp anti-attack rate-limit command sets the maximum rate and rate limiting duration of ARP packets globally, in a VLAN, or on an interface, and enables the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limit on an interface.

The undo arp anti-attack rate-limit command restores the default maximum rate and rate limiting duration of ARP packets globally, in a VLAN, or on an interface, and allows the device to send ARP packets to the CPU again.

By default, a maximum of 100 ARP packets are allowed to pass per second, and the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limit is disabled.

Format

System view, VLAN view

arp anti-attack rate-limit packet packet-number [ interval interval-value ]

undo arp anti-attack rate-limit

Interface view

arp anti-attack rate-limit packet packet-number [ interval interval-value | block-timer timer ] *

undo arp anti-attack rate-limit

Parameters

Parameter

Description

Value

packet packet-number

Specifies the maximum rate of sending ARP packets, that is, the number of ARP packets allowed to pass through in the rate limiting duration.

The value is an integer that ranges from 1 to 16384. The default value is 100.

interval interval-value

Specifies the rate limiting duration of ARP packets.

The value is an integer that ranges from 1 to 86400, in seconds. The default value is 1 second.

block-timer timer

Specifies the duration for blocking ARP packets.

The value is an integer that ranges from 5 to 864000, in seconds.

Views

System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, MultiGE interface view, 40GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP packets is enabled, run the arp anti-attack rate-limit command to set the maximum rate and rate limiting duration of ARP packets globally, in a VLAN, or on an interface. In the rate limiting duration, if the number of received ARP packets exceeds the limit, the device discards the excess ARP packets.

If the parameter block-timer timer is specified, the device discards all ARP packets received in the duration specified by timer.

Prerequisites

Rate limit on ARP packets has been enabled globally, in a VLAN, or on an interface using the arp anti-attack rate-limit enable command.

Precautions

If the maximum rate and rate limiting duration are configured in the system view, VLAN view, and interface view at the same time, the device uses the configurations in the interface view, VLAN view, and system view in order.

This command can be configured on a maximum of 16 interfaces.

NOTE:

The arp anti-attack rate-limit command takes effect only on ARP packets sent to the CPU for processing in none-block mode, and does not affect ARP packet forwarding by the chip. In block mode, the device discards subsequent ARP packets on an interface only when the number of ARP packets sent to the CPU exceeds the limit.

Example

# Configure Layer 2 interface GE0/0/1 to allow 200 ARP packets to pass through in 10 seconds, and configure GE0/0/1 to discard all ARP packets in 60 seconds when the number of ARP packets exceeds the limit.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60
# Configure Layer 3 interface GE0/0/1 to allow 200 ARP packets to pass through in 10 seconds, and configure GE0/0/1 to discard all ARP packets in 60 seconds when the number of ARP packets exceeds the limit.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60

arp anti-attack rate-limit alarm enable

Function

The arp anti-attack rate-limit alarm enable command enables the alarm function for ARP packets discarded when the rate of ARP packets exceeds the limit.

The undo arp anti-attack rate-limit alarm enable command disables the alarm function for ARP packets discarded when the rate of ARP packets exceeds the limit.

By default, the alarm function for ARP packets discarded when the rate of ARP packets exceeds the limit is disabled.

Format

arp anti-attack rate-limit alarm enable

undo arp anti-attack rate-limit alarm enable

Parameters

None

Views

System view, VLAN view, Ethernet interface view, GE interface view, 40GE interface view, XGE interface view, MultiGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP packets is enabled, if you want the device to generate alarms for excessive discarded ARP packets, run the arp anti-attack rate-limit alarm enable command. When the number of discarded ARP packets exceeds the alarm threshold, the device generates an alarm.

You can set the alarm threshold using the arp anti-attack rate-limit alarm threshold command.

Prerequisites

Rate limit on ARP packets has been enabled using the arp anti-attack rate-limit enable command.

Example

# Enable rate limit on ARP packets globally and enable the alarm function.

<HUAWEI> system-view
[HUAWEI] arp anti-attack rate-limit enable
[HUAWEI] arp anti-attack rate-limit alarm enable

# Enable rate limit for the ARP packets on Layer 2 interface GE0/0/1 and enable the alarm function.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit alarm enable
# Enable rate limit for the ARP packets on Layer 3 interface GE0/0/1 and enable the alarm function.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit alarm enable

arp anti-attack rate-limit alarm threshold

Function

The arp anti-attack rate-limit alarm threshold command sets the alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit.

The undo arp anti-attack rate-limit alarm threshold command restores the default alarm threshold.

By default, the alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit is 100.

Format

arp anti-attack rate-limit alarm threshold threshold

undo arp anti-attack rate-limit alarm threshold

Parameters

Parameter Description Value
threshold Specifies the alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit. The value is an integer that ranges from 1 to 16384.

Views

System view, VLAN view, Ethernet interface view, GE interface view, 40GE interface view, XGE interface view, MultiGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can use the arp anti-attack rate-limit alarm threshold command to set the alarm threshold. When the number of discarded ARP packets exceeds the alarm threshold, the device generates an alarm.

Prerequisites

Rate limit on ARP packets has been enabled using the arp anti-attack rate-limit enable command, and the alarm function has been enabled using the arp anti-attack rate-limit alarm enable command.

Example

# Enable rate limit on ARP packets globally, enable the alarm function, and set the alarm threshold to 50.

<HUAWEI> system-view
[HUAWEI] arp anti-attack rate-limit enable
[HUAWEI] arp anti-attack rate-limit alarm enable
[HUAWEI] arp anti-attack rate-limit alarm threshold 50

# Enable rate limit for the ARP packets on Layer 2 interface GE0/0/1, enable the alarm function, and set the alarm threshold to 50.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit alarm enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit alarm threshold 50
# Enable rate limit for the ARP packets on Layer 3 interface GE0/0/1, enable the alarm function, and set the alarm threshold to 50.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit alarm enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit alarm threshold 50

arp anti-attack rate-limit enable

Function

The arp anti-attack rate-limit enable command enables rate limit on ARP packets.

The undo arp anti-attack rate-limit enable command disables rate limit on ARP packets.

By default, rate limiting on ARP packet is disabled.

Format

arp anti-attack rate-limit enable

undo arp anti-attack rate-limit enable

Parameters

None

Views

System view, VLAN view, Ethernet interface view, GE interface view, 40GE interface view, XGE interface view, MultiGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

The device has no sufficient CPU resource to process other services when processing a large number of ARP packets. To protect CPU resources of the device, limit the rate of ARP packets.

You can run the arp anti-attack rate-limit enable command to enable rate limit on ARP packets. When the rate of ARP packets exceeds the limit, excess ARP packets are discarded. To set the rate limit and rate limiting duration of ARP packets, run the arp anti-attack rate-limit command.

After the optimized ARP reply function (disabled by default) is enabled using the undo arp optimized-reply disable command, rate limiting on ARP packets globally, in a VLAN, or on an Interface does not take effect.

Example

# Enable rate limit on ARP packets globally.

<HUAWEI> system-view
[HUAWEI] arp anti-attack rate-limit enable

# Enable rate limit for the ARP packets on Layer 2 interface GE0/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
# Enable rate limit for the ARP packets on Layer 3 interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable

arp trust source

Function

The arp trust source command enables ARP gateway protection for the specified IP address.

The undo arp trust source command disables ARP gateway protection for the specified IP address.

By default, ARP gateway protection is disabled.

Format

arp trust source ip-address

undo arp trust source { ip-address | all }

Parameters

Parameter Description Value
ip-address

Specifies the protected gateway IP address.

The value is in dotted decimal notation.

all

Disables ARP gateway protection for all IP addresses in the current view.

-

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an attacker poses as a gateway to send ARP packets, other users on the network consider the attacker to be a gateway, causing a communication interruption between authorized users and gateway. This situation will also happen if a user incorrectly sets the host IP address as the gateway address. To prevent such bogus gateway attacks, configure ARP gateway protection on the device's interfaces connected to the gateway. When the ARP packets from a gateway address reach a device:
  • The interfaces with gateway protection enabled can receive and forward the ARP packets.
  • The interfaces without gateway protection enabled discard the ARP packets.

Precautions

A maximum of 8 protected gateway addresses can be specified on each interface, and 32 can be specified on the entire device. If the same gateway IP address is specified on different interfaces, the system considers that multiple protected gateway IP addresses have been configured.

Example

# Enable ARP gateway protection on GE0/0/1 and set the protected gateway IP address to 10.10.10.1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp trust source 10.10.10.1

arp gratuitous-arp send enable

Function

The arp gratuitous-arp send enable command enables gratuitous ARP packet sending.

The undo arp gratuitous-arp send enable command disables gratuitous ARP packet sending.

By default, gratuitous ARP packet sending is disabled.

Format

arp gratuitous-arp send enable

undo arp gratuitous-arp send enable

Parameters

None

Views

System view, VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an attacker forges the gateway address to send ARP packets to other user hosts, ARP entries on the hosts record the incorrect gateway address. As a result, the gateway cannot receive data sent from the hosts. You can enable gratuitous ARP packet sending on the gateway. Then the gateway sends gratuitous ARP packets at intervals to update the ARP entries of authorized users so that the ARP entries contain the correct MAC address of the gateway.

By default, the device sends a gratuitous ARP packet every 60 seconds after this function is enabled. You can also set the interval using the arp gratuitous-arp send interval command.

Precautions

After you run the arp gratuitous-arp send enable command in the system view, gratuitous ARP packet sending is enabled on all VLANIF interfaces.

After you run the undo arp gratuitous-arp send enable command in the system view, gratuitous ARP packet sending is disabled on all VLANIF interfaces.

Example

# Enable gratuitous ARP packet sending on VLANIF 10.

<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp gratuitous-arp send enable

arp gratuitous-arp send interval

Function

The arp gratuitous-arp send interval command sets the interval for sending gratuitous ARP packets.

The undo arp gratuitous-arp send interval command restores the default interval for sending gratuitous ARP packets.

By default, the interval for sending gratuitous ARP packets is 60 seconds.

Format

arp gratuitous-arp send interval interval-time

undo arp gratuitous-arp send interval

Parameters

Parameter

Description

Value

interval-time

Specifies the interval for sending gratuitous ARP packets.

The value is an integer that ranges from 1 to 86400, in seconds.

Views

System view, VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the device sends a gratuitous ARP packet every 60 seconds after gratuitous ARP sending is enabled. You can set the interval for sending gratuitous ARP packets using the arp gratuitous-arp send interval command.

If you set the interval in the system view, the configuration takes effect on all VLANIF interfaces. If you set the interval in both the system view and VLANIF interface view, the configuration on the VLANIF interface takes precedence over the global configuration.

Prerequisites

Gratuitous ARP packet sending has been enabled using the arp gratuitous-arp send enable command.

Example

# Set the interval for sending gratuitous ARP packets to 100 seconds on VLANIF 10.

<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp gratuitous-arp send enable
[HUAWEI-Vlanif10] arp gratuitous-arp send interval 100

arp learning dhcp-trigger

Function

The arp learning dhcp-trigger command enables ARP learning triggered by DHCP.

The undo arp learning dhcp-trigger command disables ARP learning triggered by DHCP.

By default, ARP learning triggered by DHCP is disabled.

Format

arp learning dhcp-trigger

undo arp learning dhcp-trigger

Parameters

None

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When many DHCP users connect to a network device, the device needs to learn and maintain many ARP entries. This affects device performance.

To address this issue, configure ARP learning triggered by DHCP on the gateway. When the DHCP server allocates an IP address for a user, the gateway generates an ARP entry for the user based on the DHCP ACK packet received on the VLANIF interface.

Precautions

Before using this command, ensure that DHCP is enabled using the dhcp enable command.

When both VRRP and DHCP relay are configured on the network, neither the dhcp snooping enable command nor the arp learning dhcp-trigger command can be configured on the VRRP master and backup devices.

Example

# Enable ARP learning triggered by DHCP on VLANIF 100.

<HUAWEI> system-view
[HUAWEI] vlan batch 100
[HUAWEI] dhcp enable
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp learning dhcp-trigger
Related Topics

arp learning disable

Function

The arp learning disable command disables an interface from learning dynamic ARP entries.

The undo arp learning disable command enables an interface to learn dynamic ARP entries.

By default, an interface is enabled to learn dynamic ARP entries.

Format

arp learning disable

undo arp learning disable

Parameters

None

Views

VLANIF interface view, VBDIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To ensure security and facilitate management, you can enable an interface to learn or disable an interface from learning dynamic ARP entries. You can also use the arp learning strict (system view) or arp learning strict (interface view) commands to strictly control ARP entry learning on an interface.

Precautions

If an interface is disabled from learning ARP entries, the network will be interrupted.

If an interface has learned some dynamic ARP entries, the system does not delete these entries after the interface is disabled from learning dynamic ARP entries. You can manually delete or reserve these learned dynamic ARP entries (deleted by the reset arp command).

Example

# Disable VLANIF10 from learning dynamic ARP entries.

<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp learning disable

arp learning strict (interface view)

Function

The arp learning strict command enables strict ARP learning on the interface.

The undo arp learning strict command restores the global configuration on the interface.

By default, strict ARP learning is disabled on the interface.

Format

arp learning strict { force-enable | force-disable | trust }

undo arp learning strict

Parameters

Parameter Description Value
force-enable Indicates that strict ARP learning is enabled. -
force-disable Indicates that strict ARP learning is disabled. -
trust Indicates that the configuration of strict ARP learning is the same as the global configuration.
NOTE:

The effect of the trust parameter is the same as the effect of the undo arp learning strict command.

-

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If many user hosts send a large number of ARP packets to a device simultaneously, or attackers send bogus ARP packets to the device, the following problems occur:
  • Processing ARP packets consumes many CPU resources. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.
  • After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a result, authorized users cannot communicate with each other.

To avoid the preceding problems, enable strict ARP learning on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself, but does not allow the device to learn the ARP entries for the ARP packets received from other devices. In this way, the device can defend against most ARP attacks.

Prerequisites

On an Ethernet interface works in Layer 2 mode. you need run undo portswitch, switch the interface to Layer 3 mode.

NOTE:

Only the S5720EI, S5720HI and S6720EI/S6720S-EI support switching between Layer 2 and Layer 3 modes.

Precautions

The configuration on an interface takes precedence over the global configuration.

When ARP attacks occur on many interfaces of the device, you can run the arp learning strict (system view) command to enable strict ARP learning globally.

Example

# Enable strict ARP learning on VLANIF 100.
<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] quit
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp learning strict force-enable
# Enable strict ARP learning on Layer 3 interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp learning strict force-enable

arp learning strict (system view)

Function

The arp learning strict command enables strict ARP learning.

The undo arp learning strict command restores the default setting.

By default, strict ARP learning is disabled.

Format

arp learning strict

undo arp learning strict

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If many user hosts send a large number of ARP packets to a device simultaneously, or attackers send bogus ARP packets to the device, the following problems occur:
  • Processing ARP packets consumes many CPU resources. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.
  • After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a result, authorized users cannot communicate with each other.

To avoid the preceding problems, enable strict ARP learning on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. In this way, the device can defend against most ARP attacks.

Precautions

The configuration on an interface takes precedence over the global configuration.

Example

# Enable strict ARP learning.

<HUAWEI> system-view
[HUAWEI] arp learning strict

arp optimized-reply disable

Function

The arp optimized-reply disable command disables the optimized ARP reply function.

The undo arp optimized-reply disable command enables the optimized ARP reply function.

By default, the optimized ARP reply function is enabled.

Format

arp optimized-reply disable

undo arp optimized-reply disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a stack functions as an access gateway, the stack can receive a large number of ARP packets requesting for the stack's interface MAC address. If all these ARP Request packets are sent to the master switch, the CPU usage of the switch increases, and other services are affected.

To address the preceding problem, enable optimized ARP reply, which improves the switch's capability of defending against ARP flood attack. After this function is enabled, the stack performs the following operations:
  • When receiving an ARP Request packet of which the destination IP address is the local interface address, the switch where the interface is located directly returns an ARP Reply packet.
  • When a stack system receives an ARP Request packet of which the destination IP address is not the local interface address and intra-VLAN proxy ARP is enabled on the master switch, the switch where the interface is located checks whether the ARP Request packet meets the proxy condition. If so, the switch returns an ARP Reply packet. If not, the switch discards the packet.
NOTE:
The optimized ARP reply function can be configured on a stand-alone fixed switch, but does not take effect.
By default, the optimized ARP reply function is enabled. After a device receives an ARP Request packet, the device checks whether an ARP entry corresponding to the source IP address of the ARP Request packet exists.
  • If the corresponding ARP entry exists, the stack performs optimized ARP reply to this ARP Request packet.
  • If the corresponding ARP entry does not exist, the stack does not perform optimized ARP reply to this ARP Request packet.

Precautions

  • The optimized ARP reply function does not take effect for ARP Request packets with double VLAN tags.
  • The optimized ARP reply function takes effect for ARP Request packets sent by wireless users.
  • The optimized ARP reply function takes effect only for the ARP Request packets received by VLANIF interfaces. The optimized ARP reply function does not take effect for the ARP Request packets sent from the VLANIF interfaces of super VLANs and sub VLANs.
  • The optimized ARP reply function does not take effect globally or on VLANIF interfaces after you run any of the following commands:
  • After the optimized ARP reply function is enabled, the following functions become invalid:

Example

# Disable the optimized ARP reply function.

<HUAWEI> system-view
[HUAWEI] arp optimized-reply disable

arp over-vpls enable

Function

The arp over-vpls enable command enables ARP proxy on a device of a VPLS network.

The undo arp over-vpls enable command disables ARP proxy on a device of a VPLS network.

By default, ARP proxy is disabled on a device of a VPLS network.

NOTE:

Only the S5720HI supports this command.

Format

arp over-vpls enable

undo arp over-vpls enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent bogus ARP packets at the PW side from being broadcast to the AC side on a VPLS network, enable ARP proxy over VPLS on a PE.

ARP packets at the PW side are sent to the CPU for processing.
  • If the ARP packets are ARP Request packets and the destination IP addresses in the packets match DHCP snooping binding entries, the device constructs ARP Reply packets based on the DHCP snooping binding entries and sends them to the requester at the PW side.
  • If the ARP packets are not ARP Request packets or the destination IP addresses in the packets match no DHCP snooping binding entry, the device forwards these ARP packets to the destination.

Precautions

Before using this command, ensure that DHCP snooping is enabled using the dhcp snooping over-vpls enable command.

Example

# Enable ARP proxy on a device of a VPLS network.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping over-vpls enable
[HUAWEI] arp over-vpls enable

arp speed-limit source-mac

Function

The arp speed-limit source-mac command sets the maximum rate of ARP packets based on source MAC addresses.

The undo arp speed-limit source-mac command restores the default setting.

By default, the maximum rate of ARP packets from each source MAC address is set to 0, that is, the rate of ARP packets is not limited based on source MAC addresses.

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this command.

Format

arp speed-limit source-mac [ mac-address ] maximum maximum

undo arp speed-limit source-mac [ mac-address ]

Parameters

Parameter Description Value
mac-address

Specifies the source MAC address. If this parameter is specified, the rate of ARP packets from the MAC address is limited.

If this parameter is not specified, the rate of ARP packets from each MAC address is limited.

The value is in the H-H-H format. H is a hexadecimal number of 1 to 4 digits.

maximum maximum

Specifies the maximum rate of ARP packets from a specified MAC address.

The value ranges from 0 to 12288 for the S5720EI, from 0 to 45056 for the S6720EI/S6720S-EI, from 0 to 61440 for the S5720HI, in pps.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When processing a large number of ARP packets with fixed source MAC addresses but variable source IP addresses, the CPU is overloaded and ARP entries are exhausted. To prevent this problem, limit the rate of ARP packets based on source MAC addresses.

After the arp speed-limit source-mac command is run, the device collects statistics on ARP packets from a specified source MAC address. If the number of ARP packets from a specified source IP address per second exceeds the threshold, the device discards the excess ARP packets.

Precautions

Limiting the rate of all ARP packets is not recommended. You are advised to find out the attack source according to packet statistics, and then limit the rate of ARP packets from the specified source MAC address.

If the source MAC address is not specified, the rate of ARP packets from each MAC address is limited. If the rate of ARP packets from each source IP address is set using the arp speed-limit source-ip command at the same time and the rate is the same as that set using the arp speed-limit source-mac command, both commands take effect. When receiving ARP packets from a fixed source, the device limits the rate of these packets based on the maximum rate set by the arp speed-limit source-mac command.

After the optimized ARP reply function (disabled by default) is enabled using the undo arp optimized-reply disable command, rate limiting on ARP packets based on the source MAC address does not take effect.

Example

# Set the maximum rate of ARP packets from any source MAC address to 100 pps.

<HUAWEI> system-view
[HUAWEI] arp speed-limit source-mac maximum 100

# Set the maximum rate of ARP packets from a specified MAC address 0-0-1 to 50 pps.

<HUAWEI> system-view
[HUAWEI] arp speed-limit source-mac 0-0-1 maximum 50

arp speed-limit source-ip

Function

The arp speed-limit source-ip command sets the maximum rate of ARP packets based on the source IP address.

The undo arp speed-limit source-ip command restores the default setting.

By default, the device allows a maximum of 30 ARP packets from the same source IP address to pass through per second.

Format

arp speed-limit source-ip [ ip-address ] maximum maximum

undo arp speed-limit source-ip [ ip-address ]

Parameters

Parameter Description Value
ip-address

Specifies the source IP address. If this parameter is specified, the rate of ARP packets from the IP address is limited.

If this parameter is not specified, the rate of ARP packets from each IP address is limited.

The value is in dotted decimal notation.
maximum maximum

Specifies the maximum rate of ARP packets from a specified source IP address.

NOTE:

If the rate of all ARP packets is limited, a large value is recommended because valid packets may be discarded if the value is small. However, a too large value will deteriorate the system performance. If an IP address initiates attacks, you can set the maximum number of ARP Miss messages triggered by packets from this IP address to a small value.

The integer form, in pps, is as follows:
  • S1720GW, S1720GWR, S1720GW-E, S1720GWR-E, S2720EI, S5720LI, and S5720S-LI: 0 to 2048
  • S5720SI and S5720S-SI: 0 to 4096
  • S5720EI: 0 to 12288
  • S5720HI: 0 to 61440
  • S5730SI, S5730S-EI, S6720SI and S6720S-SI: 0 to 20000
  • S1720X, S1720X-E, S6720LI, and S6720S-LI: 0 to 8192
  • S6720EI and S6720S-EI: 0 to 96000
  • Other device: 0 to 256

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When processing a large number of ARP packets with fixed IP addresses (for example, the ARP packets with the same source IP addresses but frequently changing MAC addresses or outbound interfaces), the CPU is overloaded and cannot process other services. To prevent this problem, limit the rate of ARP packets based on the source IP address.

After the arp speed-limit source-ip command is run, the device collects statistics on ARP packets based on the source IP address. If the number of ARP packets from a specified source IP address per second exceeds the threshold, the device discards the excess ARP packets.

Precautions

Limiting the rate of all ARP packets is not recommended. You are advised to find out the attack source according to packet statistics, and then limit the rate of ARP packets from the specified source IP address.

When you confirm that the network is secure, set the rate limit to 0 to increase ARP learning speed. After the rate limit is set to 0, the device does not limit the ARP packet rate based on source IP addresses.

If the source IP address is not specified, the rate of ARP packets from each IP address is limited. If the rate of ARP packets from each source MAC address is set using the arp speed-limit source-mac command at the same time and the rate is the same as that set using the arp speed-limit source-ip command, both commands take effect. When receiving ARP packets from a fixed source, the device limits the rate of these packets based on the maximum rate set by the arp speed-limit source-mac command.

After the optimized ARP reply function (disabled by default) is enabled using the undo arp optimized-reply disable command, rate limiting on ARP packets based on the source IP address does not take effect.

Example

# Set the maximum rate of ARP packets from a source IP address to 100 pps.

<HUAWEI> system-view
[HUAWEI] arp speed-limit source-ip maximum 100

# Set the maximum rate of ARP packets from a specified IP address 10.0.0.1 to 50 pps.

<HUAWEI> system-view
[HUAWEI] arp speed-limit source-ip 10.0.0.1 maximum 50

arp validate(interface view)

Function

The arp validate command enables MAC address consistency check in an ARP packet on an interface. This function compares the source and destination MAC addresses in ARP packets with those in the Ethernet frame header.

The undo arp validate command disables MAC address consistency check in an ARP packet on an interface.

By default, MAC address consistency check in an ARP packet is disabled.

Format

arp validate { source-mac | destination-mac } *

undo arp validate { source-mac | destination-mac } *

Parameters

Parameter Description Value
source-mac Indicates that the device compares the source MAC address in a received ARP packet with that in the Ethernet frame header. -
destination-mac Indicates that the device compares the destination MAC address in a received ARP packet with that in the Ethernet frame header. -

Views

Ethernet interface view, GE interface view, 40GE interface view, XGE interface view, MultiGE interface view, port group view, Eth-Trunk interface view, VE interface view

Default Level

2: Configuration level

Usage Guidelines

The MAC address consistency check function for ARP packets prevents attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header. This function is usually configured on gateways.

After the arp validate command is run, the gateway checks the MAC address consistency in an ARP packet before ARP learning. If the source and destination MAC addresses in an ARP packet are different from those in the Ethernet frame header, the device discards the packet as an attack. If the source and destination MAC addresses in an ARP packet are the same as those in the Ethernet frame header, the device performs ARP learning.

When using this command, note the following points:
  • If source-mac is specified:
    • When receiving an ARP Request packet, the device checks only the source MAC address consistency.
    • When receiving an ARP Reply packet, the device checks only the source MAC address consistency.
  • If destination-mac is specified:
    • When receiving an ARP Request packet, the device does not check the destination MAC address consistency because the ARP Request packet is broadcast.

    • When receiving an ARP Reply packet, the device checks the destination MAC address consistency.
  • If source-mac and destination-mac are specified:
    • When receiving an ARP Request packet, the device checks only the source MAC address consistency.
    • When receiving an ARP Reply packet, the device checks the source and destination MAC address consistency.

Example

# Enable MAC address consistency check in an ARP packet on Layer 2 interface GE0/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp validate source-mac destination-mac
# Enable MAC address consistency check in an ARP packet on Layer 3 interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp validate source-mac destination-mac

arp-fake expire-time

Function

The arp-fake expire-time command sets the aging time of temporary ARP entries.

The undo arp-fake expire-time command restores the default aging time of temporary ARP entries.

By default, the aging time of temporary ARP entries is 3 seconds.

Format

arp-fake expire-time expire-time

undo arp-fake expire-time

Parameters

Parameter Description Value
expire-time Specifies the aging time of temporary ARP entries. The value is an integer that ranges from 1 to 36000, in seconds.

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, VLANIF interface view, VBDIF interface view, VE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network.
  • In the aging time of temporary ARP entries:
    • Before receiving an ARP reply packet, the device discards the IP packets matching the temporary ARP entry and does not generate ARP Miss messages.
    • After receiving an ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
  • When temporary ARP entries age out, the device clears them. If no ARP entry matches the IP packets forwarded by the device, ARP Miss messages and temporary ARP entries are repeatedly generated

When a device undergoes an ARP Miss attack, you can run the arp-fake expire-time command to extend the aging time of temporary ARP entries to reduce the frequency of triggering ARP Miss messages and minimize the impact on the device.

Example

# Set the aging time of temporary ARP entries to 10 seconds on VLANIF10.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp-fake expire-time 10
# Set the aging time of temporary ARP entries to 10 seconds on Layer 3 interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-fake expire-time 10

arp-limit

Function

The arp-limit command sets the maximum number of ARP entries that an interface can dynamically learn.

The undo arp-limit command deletes the maximum number of ARP entries that an interface can dynamically learn.

By default, the maximum number of ARP entries that an interface can dynamically learn is the same as the number of ARP entries supported by the device.

Format

VLANIF interface, VBDIF interface, VE sub-interface, Layer 3 interface, and Ethernet sub-interface:

arp-limit maximum maximum

undo arp-limit

VE sub-interface, Layer 2 interface and port group:

arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum maximum

undo arp-limit vlan vlan-id1 [ to vlan-id2 ]

NOTE:

Only the S5720EI, S5720HI and S6720EI/S6720S-EI support Layer 3 interfaces and sub-interfaces.

Only the S5720HI supports VE sub-interfaces.

Parameters

Parameter

Description

Value

vlan vlan-id1 [ to vlan-id2 ]

Specifies the ID of a VLAN from which the maximum number of ARP entries an interface can dynamically learn is limited.

  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1. vlan-id1 and vlan-id2 specify a range of VLANs. If to vlan-id2 is not specified, the device limits the maximum number of ARP entries an interface dynamically learns from the VLAN vlan-id1. If to vlan-id2 is specified, the device limits the maximum number of ARP entries an interface dynamically learns from each VLAN from vlan-id1 to vlan-id2.
The values of vlan-id1 and vlan-id2 are integers that range from 1 to 4094.
maximum maximum Specifies the maximum number of ARP entries that an interface can dynamically learn. The value is an integer that ranges as follows:
  • S1720GW, S1720GWR, S1720GW-E, S1720GWR-E, S2720EI, S5720LI and S5720S-LI: from 1 to 2048
  • S5720SI and S5720S-SI: from 1 to 4096
  • S5720EI: from 1 to 16384
  • S5720HI: from 1 to 61440
  • S5730SI, S5730S-EI, S6720SI and S6720S-SI: from 1 to 20000
  • S1720X, S1720X-E, S6720LI, and S6720S-LI: from 1 to 8192
  • S6720EI and S6720S-EI: from 1 to 96000
  • Other devices: from 1 to 256

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent ARP entries from being exhausted by ARP attacks from a host connecting to an interface on the device, set the maximum number of ARP entries that the interface can dynamically learn. When the number of the ARP entries learned by a specified interface reaches the maximum number, no dynamic ARP entry can be added.

Precautions

If the number of ARP entries learned by an interface exceeds the maximum number, the device neither learns new ARP entries nor clears the learned ARP entries. Instead, the device asks users to delete the excess ARP entries.

If the arp-limit vlan vlan-id1 to vlan-id2 maximum maximum command is run more than once, the following situations are available:
  • If maximum maximum is the same in multiple command instances, all configurations take effect. For example, if the arp-limit vlan 10 to 30 maximum 200 command and then the arp-limit vlan 35 to 40 maximum 200 command are run, both configurations take effect. If the VLAN ranges specified in multiple command instances are overlapping, the system automatically merges the VLAN ranges. For example, if the arp-limit vlan 50 to 80 maximum 200 command and then the arp-limit vlan 70 to 100 maximum 200 command are run, both configurations take effect, and the system merges the configurations into arp-limit vlan 50 to 100 maximum 200.
  • If maximum maximum is different in multiple command instances, the latest configuration overrides the previous one for the same VLAN range. For example, if the arp-limit vlan 10 to 30 maximum 200 command and then the arp-limit vlan 15 to 25 maximum 300 command are run, the system automatically divides the configurations into arp-limit vlan 10 to 14 maximum 200, arp-limit vlan 15 to 25 maximum 300, and arp-limit vlan 26 to 30 maximum 200.

Example

# Configure that VLANIF 10 can dynamically learn a maximum of 20 ARP entries.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp-limit maximum 20
# Configure that Layer 3 interface GE0/0/1 can dynamically learn a maximum of 20 ARP entries.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-limit maximum 20
# Configure that Layer 2 interface GE0/0/1 can dynamically learn a maximum of 20 ARP entries corresponding to VLAN 10.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-limit vlan 10 maximum 20
Related Topics

arp-miss anti-attack rate-limit

Function

The arp-miss anti-attack rate-limit command sets the maximum rate and rate limiting duration of ARP Miss messages globally, in a VLAN, or on an interface.

The undo arp-miss anti-attack rate-limit command restores the default maximum rate and rate limiting duration of ARP Miss messages globally, in a VLAN, or on an interface.

By default, the device can process a maximum of 100 ARP Miss messages per second.

NOTE:

Only the S5720EI, S5720HI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this command.

Format

arp-miss anti-attack rate-limit packet packet-number [ interval interval-value ]

undo arp-miss anti-attack rate-limit

Parameters

Parameter

Description

Value

packet packet-number

Specifies the maximum rate of ARP Miss messages, that is, the number of ARP Miss messages the device processes in the rate limiting duration.

The value is an integer that ranges from 1 to 16384. The default value is 100.

interval interval-value

Specifies the rate limiting duration of ARP Miss messages.

The value is an integer that ranges from 1 to 86400, in seconds. The default value is 1 second.

Views

System view, VLAN view, GE interface view, 40GE interface view, XGE interface view, MultiGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP Miss messages is enabled, you can set maximum rate and rate limiting duration of ARP Miss messages globally, in a VLAN, or on an interface. If the number of ARP Miss messages triggered by IP packets in the rate limiting duration exceeds the limit, the device does not process the excess ARP Miss packets and discards the IP packets triggering the excess ARP Miss messages.

Prerequisites

Rate limit on ARP Miss messages has been enabled globally, in a VLAN, or on an interface using the arp-miss anti-attack rate-limit enable command.

Precautions

If rate limit on ARP Miss messages is configured in the system view, VLAN view, and interface view, the device uses the configurations in the interface view, VLAN view, and system view in order.

Example

# Configure the device to process a maximum of 200 ARP Miss messages triggered by IP packets from Layer 2 interface GE0/0/1 in 10 seconds.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit packet 200 interval 10
# Configure the device to process a maximum of 200 ARP Miss messages triggered by IP packets from Layer 3 interface GE0/0/1 in 10 seconds.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit packet 200 interval 10

arp-miss anti-attack rate-limit alarm enable

Function

The arp-miss anti-attack rate-limit alarm enable command enables the alarm function for ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit.

The undo arp-miss anti-attack rate-limit alarm enable command disables the alarm function for ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit.

By default, the alarm function is disabled.

NOTE:

Only the S5720EI, S5720HI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this command.

Format

arp-miss anti-attack rate-limit alarm enable

undo arp-miss anti-attack rate-limit alarm enable

Parameters

None

Views

System view, VLAN view, GE interface view, 40GE interface view, XGE interface view, MultiGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP Miss messages is enabled, if you want that the device can generate alarms to notify the network administrator of a large number of discarded excess ARP Miss messages, run the arp-miss anti-attack rate-limit alarm enable command. When the number of discarded ARP Miss packets exceeds the alarm threshold, the device generates an alarm.

You can set the alarm threshold using the arp-miss anti-attack rate-limit alarm threshold command.

Prerequisites

Rate limit on ARP Miss messages has been enabled using the arp-miss anti-attack rate-limit enable command.

Example

# Enable the alarm function for ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit on Layer 2 interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit alarm enable
# Enable the alarm function for ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit on Layer 3 interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit alarm enable

arp-miss anti-attack rate-limit alarm threshold

Function

The arp-miss anti-attack rate-limit alarm threshold command sets the alarm threshold for ARP Miss messages discarded when the rate of ARP Miss packets exceeds the limit.

The undo arp-miss anti-attack rate-limit alarm threshold command restores the default alarm threshold.

By default, the alarm threshold for ARP Miss packets discarded is 100.

NOTE:

Only the S5720EI, S5720HI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this command.

Format

arp-miss anti-attack rate-limit alarm threshold threshold

undo arp-miss anti-attack rate-limit alarm threshold

Parameters

Parameter

Description

Value

threshold

Specifies the alarm threshold for ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit.

The value is an integer that ranges from 1 to 16384, in pps.

Views

System view, VLAN view, GE interface view, 40GE interface view, XGE interface view, MultiGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can use the arp-miss anti-attack rate-limit alarm threshold command to set the alarm threshold. When the number of discarded ARP Miss packets exceeds the alarm threshold, the device generates an alarm.

Prerequisites

Rate limit on ARP Miss messages has been enabled using the arp-miss anti-attack rate-limit enable command, and the alarm function has been enabled using the arp-miss anti-attack rate-limit alarm enable command.

Example

# Enable rate limit on ARP Miss messages globally, enable the alarm function, and set the alarm threshold to 200.

<HUAWEI> system-view
[HUAWEI] arp-miss anti-attack rate-limit enable
[HUAWEI] arp-miss anti-attack rate-limit alarm enable
[HUAWEI] arp-miss anti-attack rate-limit alarm threshold 200

# Enable rate limit on ARP Miss messages on Layer 2 interface GE0/0/1, enable the alarm function, and set the alarm threshold to 200.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit alarm enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit alarm threshold 200
# Enable rate limit on ARP Miss messages on Layer 3 interface GE0/0/1, enable the alarm function, and set the alarm threshold to 200.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit alarm enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit alarm threshold 200

arp-miss anti-attack rate-limit enable

Function

The arp-miss anti-attack rate-limit enable command enables rate limit on ARP Miss messages globally, in a VLAN, or on an interface.

The undo arp-miss anti-attack rate-limit enable command disables rate limit on ARP Miss messages globally, in a VLAN, or on an interface.

By default, rate limit on ARP Miss messages is disabled globally, in a VLAN, or on an interface.

NOTE:

Only the S5720EI, S5720HI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this command.

Format

arp-miss anti-attack rate-limit enable

undo arp-miss anti-attack rate-limit enable

Parameters

None

Views

System view, VLAN view, GE interface view, 40GE interface view, XGE interface view, MultiGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device, that is, if the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route, the device triggers a large number of ARP Miss messages. IP packets triggering ARP Miss messages are sent to the CPU for processing. The device generates a large number of temporary ARP entries and sends many ARP Request packets to the network, consuming a large number of CPU and bandwidth resources.

To avoid the preceding problems, configure rate limit on ARP Miss messages globally, in a VLAN, or on an interface. The device collects statistics on ARP Miss messages. If the number of ARP Miss messages generated within the rate limiting duration exceeds the threshold (the maximum number of ARP Miss messages), the gateway discards the IP packets triggering the excess ARP Miss messages.

Follow-up Procedure

Run the arp-miss anti-attack rate-limit command to set the maximum rate and rate limiting duration of ARP Miss messages.

Example

# Enable rate limit on ARP Miss messages on Layer 2 interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable
# Enable rate limit on ARP Miss messages on Layer 3 interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable

arp-miss speed-limit source-ip

Function

The arp-miss speed-limit source-ip command sets the maximum number of ARP Miss messages based on source IP addresses and specifies the mode for processing ARP Miss packets.

The undo arp-miss speed-limit source-ip command restores the default setting.

By default, the device processes a maximum of 30 ARP Miss messages triggered by IP packets from the same source IP address per second.

If the number of ARP Miss messages triggered by IP packets from the same source IP address per second exceeds the limit, the device discards the excess ARP Miss messages, that is, the device discards the excess ARP Miss packets. The device then uses the block mode to discard all ARP Miss packets from the source IP address within 5 minutes by default.

NOTE:

Only the S5720EI, S5720HI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this command.

Format

arp-miss speed-limit source-ip ip-address [ mask mask ] maximum maximum [ none-block | block timer timer ] (The S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI do not support [ none-block | block timer timer ].)

arp-miss speed-limit source-ip maximum maximum

undo arp-miss speed-limit source-ip [ ip-address [ mask mask ] ]

Parameters

Parameter Description Value
ip-address

Specifies the source IP address. If this parameter is specified, the maximum number of ARP Miss messages triggered by packets from this IP address is limited.

If this parameter is not specified, the maximum number of ARP Miss messages triggered by packets from each IP address is limited.

The value is in dotted decimal notation.
mask mask

Specifies the mask of the IP address. If this parameter is specified, the maximum number of ARP Miss messages triggered by packets from IP addresses in the network segment is limited.

The value is an integer that ranges from 1 to 32.
maximum maximum

Specifies the maximum number of ARP Miss messages based on the source IP address.

NOTE:

If the maximum number of ARP Miss messages triggered by packets from each IP address is limited, a large value is recommended for this parameter because a small value may cause discarding of valid packets. However, a too large value will deteriorate the system performance.

If an IP address initiates attacks, you can set the maximum number of ARP Miss messages triggered by packets from this IP address to a small value.

The value is an integer that ranges from 0 to 4096 for the S5720SI and S5720S-SI, 0 to 16384 for the S5720EI, and from 0 to 61440 for the S5720HI, 0 to 8192 for the S6720LI and S6720S-LI, 0 to 20000 for the S5730SI, S5730S-EI, S6720SI and S6720S-SI, 0 to 96000 for the S6720EI and S6720S-EI. If the value is 0, the maximum number of ARP Miss messages is not limited based on the source IP address.
none-block

Indicates that ARP Miss packets are processed in none-block mode. If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the CPU of the device discards the excess ARP Miss messages, that is, the CPU discards the excess ARP Miss packets.

-
block timer timer

Indicates that ARP Miss packets are processed in block mode. If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the device discards the excess ARP Miss messages and delivers an ACL to enable the chip to discard all packets that are sent from this source IP address within the period specified by timer. When the period specified by timer expires, the ACL ages out and the chip does not discard ARP Miss packets from the source IP address and sends them to the CPU for processing.

The value ranges from 5 to 864000, in seconds. The default value is 5 minutes.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the device considers that an attack is initiated from the source IP address. If the ARP Miss message processing mode is set to block, the device discards excess ARP Miss packets from this source IP address and delivers an ACL to discard all subsequent packets sent from this source IP address. If the ARP Miss message processing mode is set to none-block, the device only discards excess ARP Miss packets.

The administrator can use the arp-miss speed-limit source-ip command to set the maximum number of ARP Miss packets and specify the mode for processing ARP Miss packets based on the actual network environment.

If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the device considers that an attack is initiated from the source IP address. The administrator can use the arp-miss speed-limit source-ip command to set the maximum number of ARP Miss messages that the device can process within a specified duration, protecting the system resources and ensuring proper running of other services.

Precautions

You can set the maximum number of ARP Miss messages for a maximum of 512 IP addresses.

If the ARP Miss packet processing mode is set to none-block, the device discards ARP Miss packets triggering excess ARP Miss messages to reduce CPU load. The non-block action can cause a high CPU usage, and the block action uses ACL resources. The default ARP Miss packet processing mode is recommended.

In the process of setting the maximum number of ARP Miss messages based on source IP addresses, if the ARP Miss packet processing mode is not specified, the device use the default processing mode block.

When the maximum number of ARP Miss packets exceeds the limit, the delivered ACL discards only the ARP Miss packets from the source IP address. Other packets can still be sent to the CPU.

A maximum of 16 ACLs can be delivered to the chip to discard ARP Miss packets from a specified IP address or network segment. When the device delivers 16 ACLs and all ACLs do not age out, and the number of ARP Miss packets from other IP addresses or network segments per second exceeds the limit, the device does not deliver any ACL to discard all subsequent packets and the CPU discards excess ARP packets.

NOTE:

The S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI cannot deliver ACLs to discard ARP Miss packets.

Example

# Set the maximum number of ARP Miss messages triggered by each source IP address per second to 60.

<HUAWEI> system-view
[HUAWEI] arp-miss speed-limit source-ip maximum 60

# Set the maximum number of ARP Miss messages triggered by the IP address 10.0.0.1 per second to 100, and set the maximum number of ARP Miss messages triggered by other source IP addresses per second to 60.

<HUAWEI> system-view
[HUAWEI] arp-miss speed-limit source-ip maximum 60
[HUAWEI] arp-miss speed-limit source-ip 10.0.0.1 maximum 100

display arp anti-attack arpmiss-record-info

Function

The display arp anti-attack arpmiss-record-info command displays information recorded by the device when rate limit on ARP Miss messages is triggered.

NOTE:

Only the S5720EI, S5720HI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this command.

Format

display arp anti-attack arpmiss-record-info [ ip-address ]

Parameters

Parameter

Description

Value

ip-address

Displays the IP address of discarded ARP Miss packets.

The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After rate limit on ARP Miss messages is triggered, the device discards excess ARP Miss messages. You can run this command to view information recorded by the device when rate limit on ARP Miss messages is triggered. The information helps locate and rectify faults.

The device can record a maximum of 256 records about rate limit on ARP Miss messages. If a new round of rate limit on ARP Miss messages is triggered when the number of records reaches 256, the device takes the following actions:
  1. If the source IP address of the attacker already exists in a record, the device updates the block time in the record using the discarding time of the new ARP Miss message.
  2. If the source IP address of the attacker does not exist in any record, the device deletes the first record and adds a new record for this attacker.

Example

# Display information recorded by the device when rate limit on ARP Miss messages is triggered.

<HUAWEI> display arp anti-attack arpmiss-record-info  
Interface    IP address      Attack time         Block time          Aging-time 
------------------------------------------------------------------------------- 
------------------------------------------------------------------------------- 
The number of record(s) in arp-miss table is 0                         
Table 14-37  Description of the display arp anti-attack arpmiss-record-info command output

Item

Description

Interface

Interface where ARP Miss packets are discarded.

IP address

Source IP address of discarded ARP Miss packets.

Attack time

First time when rate limit on ARP Miss messages is triggered, that is, time when the number of ARP Miss messages exceeds the limit.

Block time

Last time when the device discards the ARP Miss messages of the attacker.

Aging-time

Period during which the device discards ARP Miss packets.

If the ARP Miss packet processing mode is set to none-block, the values of Block time and Aging-time are both 0. If the ARP Miss packet processing mode is set to block, the value of Aging-time is configured by the arp-miss speed-limit source-ip command, and the default value is 5 seconds.

display arp anti-attack configuration check user-bind

Function

The display arp anti-attack configuration check user-bind command displays the configuration of DAI in a VLAN or on an interface.

Format

display arp anti-attack configuration check user-bind [ vlan [ vlan-id ] | interface [ interface-type interface-number ] ]

Parameters

Parameter

Description

Value

vlan [ vlan-id ]

Displays DAI configuration in the specified VLAN.

If vlan-id is not specified, the DAI configurations in all VLANs are displayed.

vlan-id is an integer that ranges from 1 to 4094.

interface [ interface-type interface-number ]

Displays DAI on the specified interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

If interface-type interface-number is not specified, the DAI configurations on all interfaces are displayed.

If neither vlan [ vlan-id ] nor interface [ interface-type interface-number ] is specified, the DAI configurations in all VLANs and on all interfaces are displayed.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view the configuration of DAI in a VLAN or on an interface, including whether the function is enabled, check items, whether the alarm function is enabled for discarded ARP packets, and alarm threshold.

Only after DAI and the alarm function are enabled, output of this command is displayed.

Example

# Display DAI configuration on GE0/0/1.

<HUAWEI> display arp anti-attack configuration check user-bind interface gigabitethernet 0/0/1
 arp anti-attack check user-bind enable
 arp anti-attack check user-bind alarm enable
 arp anti-attack check user-bind alarm threshold 50 
 arp anti-attack check user-bind check-item ip-address
# Display ARP check configurations in all VLANs and on all interfaces.
<HUAWEI> display arp anti-attack configuration check user-bind
#                                                                               
vlan 2                                                                         
 arp anti-attack check user-bind enable                                         
 arp anti-attack check user-bind check-item ip-address 
#                                                                               
vlan 3                                                                         
 arp anti-attack check user-bind enable                                         
#                                                                               
GigabitEthernet0/0/1                                                           
 arp anti-attack check user-bind enable
 arp anti-attack check user-bind alarm enable
 arp anti-attack check user-bind alarm threshold 50 
 arp anti-attack check user-bind check-item ip-address
#  
Table 14-38  Description of the display arp anti-attack configuration check user-bind command output

Item

Description

arp anti-attack check user-bind enable

DAI has been enabled.

You can run the arp anti-attack check user-bind enable command to enable DAI.

arp anti-attack check user-bind alarm enable

The alarm function for ARP packets discarded by DAI has been enabled.

You can run the arp anti-attack check user-bind alarm enable command to enable the alarm function.

arp anti-attack check user-bind alarm threshold 50

Alarm threshold of discarded ARP packets matching no binding entry.

You can run the arp anti-attack check user-bind alarm threshold command to set the alarm threshold.

arp anti-attack check user-bind check-item ip-address

Only the IP address is checked during ARP packet check based on binding entries.

You can run the arp anti-attack check user-bind check-item (interface view) command or arp anti-attack check user-bind check-item (VLAN view) command to specify the check item for ARP packet check based on binding entries.

display arp anti-attack configuration

Function

The display arp anti-attack configuration command displays the ARP anti-attack configuration.

Format

display arp anti-attack configuration { arp-rate-limit | arp-speed-limit | entry-check | arpmiss-rate-limit | arpmiss-speed-limit | gateway-duplicate | log-trap-timer | packet-check | all } (Only the S5720EI, S5720HI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support arpmiss-rate-limit, arpmiss-speed-limit and gateway-duplicate.)

Parameters

Parameter

Description

Value

arp-rate-limit

Displays the configuration of rate limit on ARP packets globally, in a VLAN, or on an interface.

-

arp-speed-limit

Displays the configuration of rate limit on ARP packets based on the source IP address or source MAC address.

-

entry-check

Displays the ARP entry fixing mode.

-

arpmiss-rate-limit

Displays the configuration of rate limit on ARP Miss messages globally, in a VLAN, or on an interface.

-

arpmiss-speed-limit

Displays the configuration of rate limit on ARP Miss messages based on the source IP address.

-

gateway-duplicate

Displays whether gateway anti-collision is enabled.

-

log-trap-timer

Displays the interval for sending ARP alarms.

-

packet-check

Displays whether ARP packet validity check is enabled.

-

all

Displays all ARP anti-attack configurations.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After all ARP anti-attack functions are configured, you can run this command to check all configurations.

Example

# Display the configuration of rate limit on ARP packets based on the source IP address or source MAC address.
<HUAWEI> display arp anti-attack configuration arp-speed-limit
ARP speed-limit for source-MAC configuration:                                   
MAC-address         suppress-rate(pps)(rate=0 means function disabled)          
------------------------------------------------------------------------------- 
All                 0                                                           
------------------------------------------------------------------------------- 
The number of configured specified MAC address(es) is 0, spec is 512.          
                                                                                
ARP speed-limit for source-IP configuration:                                    
IP-address          suppress-rate(pps)(rate=0 means function disabled)          
------------------------------------------------------------------------------- 
10.1.1.1            100                                                         
Others              0                                                          
------------------------------------------------------------------------------- 
The number of configured specified IP address(es) is 1, spec is 512.           
# Display the configuration of rate limit on ARP Miss messages based on the source IP address.
<HUAWEI> display arp anti-attack configuration arpmiss-speed-limit
 ARP miss speed-limit for source-IP configuration:
 IP-address          suppress-rate(pps)(rate=0 means function disabled)
 ------------------------------------------------------------------------
 10.0.0.30/32        400
 Others              0 
 ------------------------------------------------------------------------
 The number of configured specified IP address(es) is 1, spec is 512.   
# Display the ARP entry fixing mode.
<HUAWEI> display arp anti-attack configuration entry-check
 ARP anti-attack entry-check mode:                                              
 Vlanif      Mode                                                               
------------------------------------------------------------------------------- 
 All         send-ack                                                           
------------------------------------------------------------------------------- 
# Display all ARP anti-attack configurations.
<HUAWEI> display arp anti-attack configuration all
ARP anti-attack packet-check configuration:
-------------------------------------------------------------------------------
Sender-MAC checking function: disable
Dst-MAC checking function: disable
IP checking function: disable
-------------------------------------------------------------------------------

ARP gateway-duplicate anti-attack function: disabled

ARP anti-attack log-trap-timer: 0 second(s)
(The log and trap timer of speed-limit, default is 0 and means disabled.)

ARP anti-attack entry-check mode:
Vlanif      Mode
-------------------------------------------------------------------------------
All         disabled
-------------------------------------------------------------------------------

ARP rate-limit configuration:
-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
  GigabitEthernet0/0/10 :
    arp anti-attack rate-limit enable
    arp anti-attack rate-limit packet 10 interval 1
VLAN configuration:
-------------------------------------------------------------------------------

ARP miss rate-limit configuration:
-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
VLAN configuration:
-------------------------------------------------------------------------------

ARP speed-limit for source-MAC configuration:
MAC-address         suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
All                 0
-------------------------------------------------------------------------------
The number of configured specified MAC address(es) is 0, spec is 512.

ARP speed-limit for source-IP configuration:
IP-address          suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
All                 0
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 0, spec is 512.

ARP miss speed-limit for source-IP configuration:
IP-address          suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
All                 500
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 0, spec is 512.
Table 14-39  Description of the display arp anti-attack configuration all command output

Item

Description

ARP anti-attack packet-check configuration

Whether ARP packet validity check is enabled.

  • Sender-mac checking function indicates that the source MAC address is checked.

  • Dst-mac checking function indicates that the destination MAC address is checked.

  • Ip checking function indicates that the IP address is checked.

You can run the arp anti-attack packet-check command to enable ARP packet validity check.

ARP gateway-duplicate anti-attack function

Whether ARP gateway anti-collision is enabled.

You can run the arp anti-attack gateway-duplicate enable command to enable ARP gateway anti-collision.

ARP anti-attack log-trap-timer

Interval for sending ARP alarms

You can run the arp anti-attack log-trap-timer command to set the interval for sending ARP alarms.

ARP anti-attack entry-check mode

ARP entry fixing mode. Vlanif specifies the interface to which the ARP entry fixing mode is applied. The modes include:
  • fixed-mac
  • fixed-all
  • send-ack
  • disabled

You can run the arp anti-attack entry-check enable command to set the ARP entry fixing mode.

ARP rate-limit configuration

Configuration of rate limit on ARP packets.

  • Global configuration indicates the global configuration of rate limit on ARP packets.

  • Interface configuration indicates the configuration of rate limit on ARP packets on an interface.

  • Vlan configuration indicates the configuration of rate limit on ARP packets in a VLAN.

You can run the arp anti-attack rate-limit command to configure rate limit on ARP packets.

ARP miss rate-limit configuration

Configuration of rate limit on ARP Miss messages.

  • Global configuration indicates the global configuration of rate limit on ARP Miss messages.

  • Interface configuration indicates the configuration of rate limit on ARP Miss messages on an interface.

  • Vlan configuration indicates the configuration of rate limit on ARP Miss messages in a VLAN.

You can run the arp-miss anti-attack rate-limit command to configure rate limit on ARP Miss messages.

ARP speed-limit for source-MAC configuration

Rate limit on ARP packets based on the source MAC address.

You can run the arp speed-limit source-mac command to configure rate limit on ARP packets based on the source MAC address.

ARP speed-limit for source-IP configuration

Rate limit on ARP packets based on the source IP address.

You can run the arp speed-limit source-ip command to configure rate limit on ARP packets based on the source IP address.

ARP miss speed-limit for source-IP configuration

Rate limit on ARP Miss messages based on source IP addresses.

You can run the arp-miss speed-limit source-ip command to configure rate limit on ARP Miss messages based on the source IP address.

The number of configured specified MAC address(es) is 0, spec is 512.

Number (0) of the configured source MAC addresses based on which the rate of ARP packets or ARP Miss messages is limited, and the maximum value (512) allowed.

The number of configured specified IP address(es) is 1, spec is 512.

Number (1) of the configured source IP addresses based on which the rate of ARP packets or ARP Miss messages is limited, and the maximum value (512) allowed.

MAC-address

Rate limit on ARP packets based on a specified MAC address.
  • ALL indicates all MAC addresses.
  • Others indicates other MAC addresses except for the specified MAC address.

IP-address

Rate limit on ARP packets and ARP Miss messages based on a specified IP address.
  • ALL indicates all IP addresses.
  • Others indicates other IP addresses except for the specified IP address.

suppress-rate

Rate limit on ARP packets and ARP Miss messages. Value 0 indicates that the rate limit function is disabled for ARP packets and ARP Miss messages.

You can run the arp anti-attack rate-limit packet packet-number command to configure the rate limit of ARP packets, and run the arp-miss anti-attack rate-limit packet packet-number command to configure the rate limit of ARP Miss messages.

display arp anti-attack gateway-duplicate item

Function

The display arp anti-attack gateway-duplicate item command displays ARP gateway anti-collision entries.

NOTE:

Only the S5720HI, S5720EI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this command.

Format

display arp anti-attack gateway-duplicate item

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After ARP gateway anti-collision is enabled, you can run this command to view ARP anti-collision entries.

Example

# Display ARP gateway anti-collision entries.

<HUAWEI> display arp anti-attack gateway-duplicate item
 Interface               IP address       MAC address     VLANID   Aging time 
-------------------------------------------------------------------------------
 GigabitEthernet0/0/1    10.1.1.1         0000-0000-0002  2        150
 GigabitEthernet0/0/2    10.1.1.2         0000-0000-0004  2        170
-------------------------------------------------------------------------------
The number of record(s) in gateway conflict table is 2 
Table 14-40  Description of the display arp anti-attack gateway-duplicate item command output

Item

Description

Interface

Inbound interface of ARP packets.

IP address

IP address of the gateway.

MAC address

Source MAC address of ARP packets.

VLANID

VLAN ID of ARP packets.

Aging time

Aging time of entries. The maximum value is 180 seconds. This parameter cannot be configured.

display arp anti-attack packet-check statistics

Function

The display arp anti-attack packet-check statistics command displays the statistics on invalid ARP packets that are filtered out during ARP packet validity check.

Format

display arp anti-attack packet-check statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After ARP packet validity check is enabled, if you want to view the statistics on invalid ARP packets that are filtered out, you can run this command.

Example

# Display the statistics on invalid ARP packets that are filtered out in ARP packet validity check is displayed.

<HUAWEI> display arp anti-attack packet-check statistics
Number of ARP packet(s) checked:                        5                       
Number of ARP packet(s) dropped by sender-mac checking: 0                       
Number of ARP packet(s) dropped by dst-mac checking:    0                       
Number of ARP packet(s) dropped by src-ip checking:     2                       
Number of ARP packet(s) dropped by dst-ip checking:     0            
Table 14-41  Description of the display arp anti-attack packet-check statistics command output

Item

Description

Number of ARP packet(s) checked

Number of ARP packets whose validity is checked.

Number of ARP packet(s) dropped by sender-mac checking

Number of invalid ARP packets that are filtered out because the source MAC address in the packet is different from that in the Ethernet frame header.

Number of ARP packet(s) dropped by dst-mac checking

Number of invalid ARP packets that are filtered out because the destination MAC address in the packet is different from that in the Ethernet frame header.

Number of ARP packet(s) dropped by src-ip checking

Number of invalid ARP packets with invalid source IP addresses that are filtered out.

Number of ARP packet(s) dropped by dst-ip checking

Number of invalid ARP packets with invalid destination IP addresses that are filtered out.

display arp anti-attack statistics check user-bind interface

Function

The display arp anti-attack statistics check user-bind interface command displays the statistics on discarded ARP packets matching no binding entry.

Format

display arp anti-attack statistics check user-bind interface interface-type interface-number

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the type and number of an interface. Where,
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After DAI and the alarm function are enabled, you can run this command to display the statistics on discarded ARP packets matching no binding entry.

Example

# Display the statistics on discarded ARP packets matching no binding entry on GE0/0/1.

<HUAWEI> display arp anti-attack statistics check user-bind interface gigabitethernet 0/0/1
 Dropped ARP packet number is 966                                                 
 Dropped ARP packet number since the latest warning is 605
Table 14-42  Description of the display arp anti-attack statistics check user-bind interface command output

Item

Description

Dropped ARP packet number is 966

Number of discarded ARP packets matching no DHCP snooping binding entry.

Dropped ARP packet number since latest warning is 605

Statistics on discarded ARP packets matching no DHCP snooping binding entry after the latest alarm is generated.

display arp learning strict

Function

The display arp learning strict command displays strict ARP learning globally and on all interfaces.

Format

display arp learning strict

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After strict ARP learning is configured, you can run this command to check the configuration.

Example

# Display strict ARP learning globally and on all interfaces.

<HUAWEI> display arp learning strict
The global configuration:arp learning strict
 Interface                           LearningStrictState
------------------------------------------------------------
 Vlanif100                           force-disable
 Vlanif200                           force-enable
------------------------------------------------------------
 Total:2
 Force-enable:1
 Force-disable:1
Table 14-43  Description of the display arp learning strict command output

Item

Description

The global configuration

Global strict ARP learning. The value arp learning strict indicates that strict ARP learning has been enabled. If the parameter is left blank, strict ARP learning is disabled.

You can run the arp learning strict (system view) command to enable strict ARP learning.

Interface

Interface name.

LearningStrictState

Strict ARP learning.
  • The value force-enable indicates that strict ARP learning is enabled.
  • The value force-disable indicates that strict ARP learning is disabled.

You can run the arp learning strict (interface view) command to enable strict ARP learning.

Total

Total number of interfaces to which strict ARP learning is applied.

Force-enable

Number of the interfaces on which strict ARP learning is enabled.

Force-disable

Number of the interfaces on which strict ARP learning is disabled.

display arp optimized-reply statistics

Function

The display arp optimized-reply statistics command displays statistics on optimized ARP Reply packets.

Format

display arp optimized-reply statistics [ slot slot-id ]

Parameters

Parameter Description Value
slot slot-id

Specifies the stack ID.

The value must be set according to the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check statistics on optimized ARP Reply packets after the optimized ARP reply function is enabled on the device.

Example

# Display statistics on optimized ARP Reply packets.
<HUAWEI> display arp optimized-reply statistics
Slot            Received           Processed             Dropped                                                                    
----------------------------------------------------------------                                                                    
0                     11                   9                   7
Table 14-44  Description of the display arp optimized-reply statistics command output

Item

Description

Slot

Stack ID.

Received

Number of ARP Request packets entering the processing procedure of the optimized ARP reply function.

Processed

Number of optimized ARP Reply packets.

Dropped

Number of ARP Request packets discarded.

display arp optimized-reply status

Function

The display arp optimized-reply status command displays the status of the optimized ARP reply function.

Format

display arp optimized-reply status

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check the status of the optimized ARP reply function.

Example

# Check the status of the optimized ARP reply function.
<HUAWEI> display arp optimized-reply status
Current configuration:Disable                                                   
Actual         status:Inactive                                                  
Related configuration:                                                          
   arp optimized-reply disable                                                       
   arp anti-attack check user-bind enable                                       
   arp anti-attack gateway-duplicate enable 
Table 14-45  Description of the display arp optimized-reply status command output

Item

Description

Current configuration

Configuration of the optimized ARP reply function.
  • Enable
  • Disable

To set this field, run the arp optimized-reply disable command.

Actual status

Status of the optimized ARP reply function.
  • Active
  • Inactive

Related configuration

Configuration that results in the invalid optimized ARP reply function.

If the optimized ARP reply function has taken effect, this field is not displayed.

display arp packet statistics

Function

The display arp packet statistics command displays the statistics on ARP packets.

Format

display arp packet statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To locate and rectify ARP faults, you can run this command to view the statistics on ARP packets.

This command displays the ARP packet statistics on the active switch in a stack system.

Example

# Display the statistics on ARP packets.

<HUAWEI> display arp packet statistics
ARP Pkt Received: sum 420066 
ARP Received In Message-cache: sum 0 
ARP-Miss Msg Received: sum 0 
ARP Learnt Count: sum 5 
ARP Pkt Discard For Limit: sum 0 
ARP Pkt Discard For SpeedLimit: sum 0 
ARP Pkt Discard For Proxy Suppress: sum 179578 
ARP Pkt Discard For Other: sum 90347 
ARP-Miss Msg Discard For SpeedLimit: sum 0 
ARP Discard In Message-cache For SpeedLimit: sum 0 
ARP-Miss Msg Discard For Other: sum 0
Table 14-46  Description of the display arp packet statistics command output

Item

Description

ARP Pkt Received

Number of the received ARP packets.

ARP Received In Message-cache

Number of ARP packets received within each second when a switch encapsulates multiple ARP request packets into one packet.

ARP-Miss Msg Received

Total number of ARP Miss messages triggered by ARP Miss packets sent to the CPU.

ARP Learnt Count

Times of ARP learning.

ARP Pkt Discard For Limit

Number of ARP packets discarded due to the ARP entry limit.

To configure the maximum number of dynamic ARP entries that an interface can learn, run the arp-limit command.

ARP Pkt Discard For SpeedLimit

Number of ARP packets discarded when the number of ARP packets from a specified source IP address exceeds the limit.

To configure a rate limit for ARP packets based on the source IP address, run the arp speed-limit source-ip command.

ARP Pkt Discard For Proxy Suppress

Number of packets discarded for the speed limit.

ARP Pkt Discard For Other

Number of the packets discarded due to other causes.

ARP-Miss Msg Discard For SpeedLimit

Number of ARP Miss messages discarded when the number of ARP Miss messages triggered by IP packets from a specified source IP address exceeds the limit.

ARP Discard In Message-cache For SpeedLimit

Number of ARP packets discarded due to software rate limit when a switch encapsulates multiple ARP request packets into one packet.

To configure a rate limit for ARP Miss messages based on the source IP address, run the arp-miss speed-limit source-ip command.

ARP-Miss Msg Discard For Other

Number of the ARP Miss messages discarded due to other causes.

display arp-limit

Function

The display arp-limit command displays the maximum number of ARP entries that an interface can dynamically learn.

Format

display arp-limit [ interface interface-type interface-number[.subinterface-number ] ] [ vlan vlan-id ]

NOTE:

Only the S5720EI, S5720HI and S6720EI/S6720S-EI support sub-interface.

Parameters

Parameter

Description

Value

interface interface-type interface-number[.subinterface-number ]

Specifies the type and number of an interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

  • subinterface-number specifies the sub-interface number.

-

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the maximum number of ARP entries that an interface can dynamically learn is set, you can run this command to check the configuration.

If interface interface-type interface-number[.subinterface-number ] and vlan vlan-id are specified, you can view the maximum number of ARP entries that the specified interface can dynamically learn in the specified VLAN. If the two parameters are not specified, the maximum number of ARP entries that each interface can dynamically learn is displayed.

Example

# Display the number of ARP entries that each interface can dynamically learn.

<HUAWEI> display arp-limit
 Interface               LimitNum        VlanID          LearnedNum(Mainboard)
---------------------------------------------------------------------------
 Vlanif100               1000            0                  0 
 GigabitEthernet0/0/1    16384           10                 0
 ---------------------------------------------------------------------------
 Total:2  
Table 14-47  Description of the display arp-limit command output

Item

Description

Interface

Interface name.

LimitNum

Maximum number of ARP entries that an interface can dynamically learn.

To configure the maximum number of dynamic ARP entries that an interface can learn, run the arp-limit command.

VlanID

ID of the VLAN that the interface belongs to.

LearnedNum(Mainboard)

Number of ARP entries that an interface has learned.

Related Topics

display arp-miss speed-limit source-ip

Function

The display arp-miss speed-limit source-ip command displays the configuration of rate limit on ARP Miss message based on the source IP address.

NOTE:

Only the S5720EI, S5720HI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this command.

Format

display arp-miss speed-limit source-ip

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After ARP Miss rate limiting based on source IP address is configured, you can run this command to check the configuration.

Example

# Display the configuration of rate limit on ARP Miss messages based on the source IP address.

<HUAWEI> display arp-miss speed-limit source-ip
 Slot     SuppressType   SuppressValue                                          
 ---------------------------------------------------                            
 0        ARP-miss       600                            
Table 14-48  Description of the display arp-miss speed-limit source-ip command output

Item

Description

Slot

  • The value indicates the slot ID if stacking is not configured.
  • The value indicates the stack ID if stacking is configured.

SuppressType

Suppression type.

SuppressValue

Maximum rate of ARP Miss messages from a specified source IP address.

To configure a rate limit for ARP Miss messages based on the source IP address, run the arp-miss speed-limit source-ip command.

reset arp anti-attack packet-check statistics

Function

The reset arp anti-attack packet-check statistics command clears the statistics on invalid ARP packets that are filtered out during ARP packet validity check.

Format

reset arp anti-attack packet-check statistics

Parameters

None

Views

User view

Default Level

2: Configuration level

Usage Guidelines

You can run this command to clear existing statistics, and run the display arp anti-attack packet-check statistics command to view the statistics on follow-up invalid ARP packets that are filtered out.

Example

# Clear the statistics on invalid ARP packets that are filtered out in ARP packet validity check.

<HUAWEI> reset arp anti-attack packet-check statistics

reset arp anti-attack statistics check user-bind

Function

The reset arp anti-attack statistics check user-bind command clears the statistics on discarded ARP packets matching no binding entry.

Format

reset arp anti-attack statistics check user-bind interface interface-type interface-number

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the type and number of an interface. Where,
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

User view, system view

Default Level

2: Configuration level

Usage Guidelines

After DAI is enabled and some ARP packets matching no binding entry are discarded, you can run this command to clear the statistics on the discarded ARP packets.

Example

# Clear the statistics on discarded ARP packets on GE0/0/1.

<HUAWEI> reset arp anti-attack statistics check user-bind interface gigabitethernet 0/0/1

reset arp anti-attack statistics rate-limit

Function

The reset arp anti-attack statistics rate-limit command clears the statistics on ARP packets discarded when the rate of ARP packets exceeds the limit.

Format

reset arp anti-attack statistics rate-limit

Parameters

None

Views

User view, system view

Default Level

2: Configuration level

Usage Guidelines

After rate limit on ARP packets is enabled globally, the device discards the excess packets when the rate of ARP packets exceeds the limit. You can run this command to clear the statistics on the discarded ARP packets.

Example

# Clear the statistics on ARP packets discarded when the rate of ARP packets exceeds the limit.

<HUAWEI> reset arp anti-attack statistics rate-limit

reset arp optimized-reply statistics

Function

The reset arp optimized-reply statistics command clears statistics on optimized ARP Reply packets.

Format

reset arp optimized-reply statistics [ slot slot-id ]

Parameters

Parameter Description Value
slot slot-id

Specifies the stack ID.

The value must be set according to the device configuration.

Views

User view

Default Level

2: Configuration level

Usage Guidelines

To collect statistics on optimized ARP Reply packets on the device, you can run the reset arp optimized-reply statistics [ slot slot-id ] command to clear statistics on optimized ARP Reply packetsof the device.

Example

# Clears statistics on optimized ARP Reply packets.
<HUAWEI> reset arp optimized-reply statistics

reset arp packet statistics

Function

The reset arp packet statistics command clears the statistics on ARP packets.

Format

reset arp packet statistics

Parameters

None

Views

User view

Default Level

2: Configuration level

Usage Guidelines

You can run the display arp packet statistics command to display the statistics on ARP packets. To obtain correct statistics, run the reset arp packet statistics command to clear existing statistics first.

The reset arp packet statistics command clears the ARP packet statistics on the active switch in a stack system.

Example

# Clear the statistics on all ARP packets.

<HUAWEI> reset arp packet statistics
Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000178165

Views: 42447

Downloads: 1107

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next