No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


OSN 500 550 580 V100R008C50 Alarms and Performance Events Reference 02

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).



The ARP_SPOOF is an alarm indicating an ARP spoofing attack. The NE reports the alarm when it is under an ARP spoofing attack.


Alarm Severity Alarm Type


Security alarm


When you view an alarm on the network management system, select the alarm. In the Alarm Details field display the related parameters of the alarm. The alarm parameters are in the following format: Alarm Parameters (hex): parameter1 parameter2...parameterN. For details about each parameter, refer to the following table.

Name Meaning

Parameter 1, parameter 2

Indicates the slot number.

Parameter 3

Indicates the subboard number (0xFF: no sub-board).

Parameter 4, parameter 5

Indicates the port number.

Impact on the System

If an ARP_SPOOF alarm is generated, the system impact from the associated fault could include:

  • A large number of CPU resources are occupied. As a result, the system is unstable and the protocol status jitters.
  • Normal ARP protocol packets are lost. As a result, ARP protocol entries are refreshed and packet loss may occur.

Possible Causes

The possible causes of the ARP_SPOOF alarm include:

The number of gratuitous ARP packets and the number of ARP reply packets received per minute exceed the thresholds for the same IP address in the ARP protocol entries. The MAC address of the ARP packet is different from that of the current ARP protocol entry.


  1. Check the ARP_SPOOF alarm on the NMS. Query the attacker list. For details, see Configuring Address Resolution in the Configuration Guide (Packet Transport Domain).
  2. Find the host of the attacker based on the MAC address of the attacker. Disconnect the host from the network to eliminate the attack source.
  3. Check whether the alarm is cleared. If it persists, contact Huawei engineers.

Related Information


Updated: 2019-01-21

Document ID: EDOC1100020975

Views: 74956

Downloads: 136

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next