No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R010C00 Command Reference

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
arp anti-attack packet-check sender-mac

arp anti-attack packet-check sender-mac

Function

The arp anti-attack packet-check sender-mac command checks whether the source MAC address in an ARP packet is the same as that in the Ethernet frame header.

The undo arp anti-attack packet-check sender-mac command disables ARP packet validity check.

By default, ARP packet validity check is disabled.

Format

arp anti-attack packet-check sender-mac

undo arp anti-attack packet-check sender-mac

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After receiving an ARP packet, the device checks validity of the ARP packet, including:
  • Packet length
  • Validity of the source and destination MAC addresses in the ARP packet
  • ARP Request type and ARP Reply type
  • MAC address length
  • IP address length
  • Whether the ARP packet is an Ethernet frame
The preceding check items are used to determine whether an ARP packet is valid. The packet with different source MAC addresses in the ARP packet and Ethernet frame header is possibly an attack packet although it is allowed by the ARP protocol. After the arp anti-attack packet-check sender-mac command is used, the device checks the source MAC addresses in the ARP packet and Ethernet frame header, and discards the packets with inconsistent source MAC addresses.

Precautions

The arp validate command can be used to configure the device to check whether the source MAC address in an ARP packet is the same as that in the Ethernet frame header. This command is different from the arp anti-attack packet-check sender-mac command.
  • The arp validate command configures ARP packet validity check only on a physical interface. The arp anti-attack packet-check sender-mac command configures ARP packet validity check globally.
  • The arp validate command checks whether the source and destination MAC addresses in an ARP packet are the same as those in the Ethernet frame header. The arp anti-attack packet-check sender-mac command checks whether the source MAC address in an ARP packet is the same as that in the Ethernet frame header.

Example

# Enable ARP packet validity check to allow the device to check the source MAC address in an ARP packet.

<Huawei> system-view
[Huawei] arp anti-attack packet-check sender-mac
Translation
Download
Updated: 2019-11-21

Document ID: EDOC1100064352

Views: 208039

Downloads: 122

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next