No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Command Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ARP Security Configuration Commands

ARP Security Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

arp anti-attack check user-bind alarm enable

Function

The arp anti-attack check user-bind alarm enable command enables the alarm function for ARP packets discarded by DAI.

The undo arp anti-attack check user-bind alarm enable command disables the alarm function for ARP packets discarded by DAI.

By default, the alarm function for ARP packets discarded by DAI is disabled.

Format

arp anti-attack check user-bind alarm enable

undo arp anti-attack check user-bind alarm enable

Parameters

None

Views

GE interface view, 40GE interface view, XGE interface view, 100GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After DAI is enabled, if you want to receive an alarm when a large number of ARP packets are discarded by DAI, you can run the arp anti-attack check user-bind alarm enable command. After the alarm function is enabled, the device sends an alarm when the number of discarded ARP packets exceeds the threshold.

The alarm threshold is set by the arp anti-attack check user-bind alarm threshold command.

Prerequisites

DAI has been enabled on the interface using the arp anti-attack check user-bind enable command.

Example

# Enable the alarm function for ARP packets discarded by DAI on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind alarm enable

arp anti-attack check user-bind alarm threshold

Function

The arp anti-attack check user-bind alarm threshold command sets the alarm threshold for ARP packets discarded by DAI.

The undo arp anti-attack check user-bind alarm threshold command restores the default alarm threshold for ARP packets discarded by DAI.

By default, the alarm threshold for ARP packets discarded by DAI is 100 packets.

Format

arp anti-attack check user-bind alarm threshold threshold

undo arp anti-attack check user-bind alarm threshold

Parameters

Parameter Description Value
threshold Specifies the alarm threshold for the ARP packets discarded by DAI. The value is an integer that ranges from 1 to 1000.

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can use this command to set the alarm threshold for ARP packets discarded by DAI. After the alarm threshold is set, the device sends an alarm when the number of ARP packets discarded by DAI exceeds this threshold.

Prerequisites

DAI has been enabled using the arp anti-attack check user-bind enable command in the interface view, and the alarm function for ARP packets discarded by DAI has been enabled using the arp anti-attack check user-bind alarm enable command.

Precautions

The arp anti-attack check user-bind alarm threshold command takes effect in the system view only when DAI and the alarm function for ARP packets discarded by DAI are enabled on the interface. The global alarm threshold takes effect on all interfaces enabled with the two functions.

If the alarm thresholds are set in the interface view and system view, the alarm threshold configured in the interface view takes effect. If the alarm threshold on an interface is not configured, the global alarm threshold is used.

Example

# Set the alarm threshold for ARP packets discarded by DAI on GE1/0/1 to 200.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind alarm enable
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind alarm threshold 200

arp anti-attack check user-bind check-item (interface view)

Function

The arp anti-attack check user-bind check-item command configures check items for ARP packet check based on binding entries on an interface.

The undo arp anti-attack check user-bind check-item command restores the default check items.

By default, the check items consist of IP address, MAC address, and VLAN ID.

Format

arp anti-attack check user-bind check-item { ip-address | mac-address | vlan } *

undo arp anti-attack check user-bind check-item

Parameters

Parameter Description Value
ip-address Indicates that the device checks IP addresses in ARP packets. -
mac-address Indicates that the device checks MAC addresses in ARP packets. -
vlan Indicates that the device checks VLAN IDs in ARP packets. -

Views

GE interface view, 40GE interface view, XGE interface view, 100GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a device receives an ARP packet, it compares the source IP address, source MAC address, and VLAN ID of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

To allow some special ARP packets that match only one or two items in binding entries to pass through, use the arp anti-attack check user-bind check-item command to configure the device to check ARP packets according to one or two specified items in binding entries.

Prerequisites

DAI has been enabled on the interface using the arp anti-attack check user-bind enable command.

Precautions

Check items configured for ARP packet check based on binding entries do not take effect on hosts that are configured with static binding entries. These hosts check ARP packets based on all items in static binding entries.

Example

# Configure GE1/0/1 to check IP addresses in ARP packets.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind check-item ip-address

arp anti-attack check user-bind check-item (VLAN view)

Function

The arp anti-attack check user-bind check-item command configures check items for ARP packet check based on binding entries in a VLAN.

The undo arp anti-attack check user-bind check-item command restores the default check items.

By default, the check items consist of IP address, MAC address, and interface number.

Format

arp anti-attack check user-bind check-item { ip-address | mac-address | interface } *

undo arp anti-attack check user-bind check-item

Parameters

Parameter Description Value
ip-address Indicates that the device checks IP addresses in ARP packets. -
mac-address Indicates that the device checks MAC addresses in ARP packets. -
interface Indicates that the device checks interface numbers in ARP packets. -

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a device receives an ARP packet, it compares the source IP address, source MAC address, and interface number of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

To allow some special ARP packets that match only one or two items in binding entries to pass through, configure the device to check ARP packets according to one or two specified items in binding entries.

Prerequisites

DAI has been enabled in the VLAN using the arp anti-attack check user-bind enable command.

Precautions

Check items configured for ARP packet check based on binding entries do not take effect on hosts that are configured with static binding entries. These hosts check ARP packets based on all items in static binding entries.

Example

# Configure the device to check IP addresses in ARP packets from VLAN 100.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] arp anti-attack check user-bind enable
[HUAWEI-vlan100] arp anti-attack check user-bind check-item ip-address

arp anti-attack check user-bind enable

Function

The arp anti-attack check user-bind enable command enables DAI on an interface or in a VLAN. DAI enables the device to check ARP packets based on binding entries.

The undo arp anti-attack check user-bind enable command disables DAI on an interface or in a VLAN.

By default, DAI is disabled on an interface or in a VLAN.

Format

arp anti-attack check user-bind enable

undo arp anti-attack check user-bind enable

Parameters

None

Views

VLAN view, GE interface view, 40GE interface view, XGE interface view, 100GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent MITM attacks and theft on authorized user information, run the arp anti-attack check user-bind enable command to enable DAI. When a device receives an ARP packet, it compares the source IP address, source MAC address, VLAN ID, and interface number of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

You can enable DAI in the interface view or the VLAN view. When DAI is enabled in an interface view, the device checks all ARP packets received on the interface against binding entries. When DAI is enabled in the VLAN view, the device checks ARP packets received on interfaces belong to the VLAN based on binding entries.

Follow-up Procedure

Run the arp anti-attack check user-bind check-item (interface view) or arp anti-attack check user-bind check-item (VLAN view) command to configure check items for ARP packet check based on binding entries.

Example

# Enable DAI on GE1/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable
# Enable DAI in VLAN 100.
<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] arp anti-attack check user-bind enable

arp anti-attack entry-check enable

Function

The arp anti-attack entry-check enable command enables ARP entry fixing.

The undo arp anti-attack entry-check enable command disables ARP entry fixing.

By default, ARP entry fixing is disabled.

Format

arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

undo arp anti-attack entry-check [ fixed-mac | fixed-all | send-ack ] enable

Parameters

Parameter Description Value
fixed-mac

Indicates ARP entry fixing in fixed-mac mode.

When receiving an ARP packet, the device discards the packet if the MAC address does not match the MAC address in the corresponding ARP entry. If the MAC address in the ARP packet matches that in the corresponding ARP entry while the interface number or VLAN ID does not match that in the ARP entry, the device updates the interface number or VLAN ID in the ARP entry.

-
fixed-all

Indicates ARP entry fixing in fixed-all mode.

When the MAC address, interface number, and VLAN ID of an ARP packet match those in the corresponding ARP entry, the device updates other information about the ARP entry.

-
send-ack

Indicates ARP entry fixing in send-ack mode.

When the device receives an ARP packet with a changed MAC address, interface number, or VLAN ID, it does not immediately update the corresponding ARP entry. Instead, the device sends a unicast ARP Request packet to the user with the IP address mapped to the original MAC address in the ARP entry, and then determines whether to change the MAC address, VLAN ID, or interface number in the ARP entry depending on the response from the user.

-

Views

System view, VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To defend against ARP address spoofing attacks, enable ARP entry fixing. The fixed-mac, fixed-all, and send-ack modes are applicable to different scenarios and are mutually exclusive:
  • The fixed-mac mode applies to networks where user MAC addresses are unchanged but user access locations often change. When a user connects to a different interface on the device, the device updates interface information in the ARP entry of the user timely.
  • The fixed-all mode applies to networks where user MAC addresses and user access locations are fixed.
  • The send-ack mode applies to networks where user MAC addresses and user access locations often change.

Precautions

After ARP entry fixing is enabled, the function that updates ARP entries when MAC address entries change (configured by the mac-address update arp command) becomes invalid.

In send-ack mode, the device can record a maximum of 100 ARP entries in the ARP Request packets intended to trigger ARP entry modification.

If you run the arp anti-attack entry-check enable command in the system view, ARP entry fixing is enabled on all interfaces. If you run the arp anti-attack entry-check enable command in the interface view, ARP entry fixing is enabled on the specified interface.

If ARP entry fixing is enabled globally and on a VLANIF interface simultaneously, the configuration on the VLANIF interface takes precedence over the global configuration.

Example

# Enable ARP entry fixing and specify the fixed-mac mode.
<HUAWEI> system-view
[HUAWEI] arp anti-attack entry-check fixed-mac enable

arp anti-attack gateway-duplicate enable

Function

The arp anti-attack gateway-duplicate enable command enables ARP gateway anti-collision.

The undo arp anti-attack gateway-duplicate enable command disables ARP gateway anti-collision.

By default, ARP gateway anti-collision is disabled.

Format

arp anti-attack gateway-duplicate enable

undo arp anti-attack gateway-duplicate enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an attacker forges the gateway address to send ARP packets with the source IP address being the IP address of the gateway on the LAN, ARP entries on hosts in the LAN record the incorrect gateway address. As a result, all traffic from user hosts to the gateway is sent to the attacker and the attacker intercepts user information. Communication of users is interrupted.

To prevent bogus gateway attacks, enable ARP gateway anti-collision on the gateway using the arp anti-attack gateway-duplicate enable command. The gateway considers that a gateway collision occurs when a received ARP packet meets either of the following conditions:
  • The source IP address in the ARP packet is the same as the IP address of the VLANIF interface matching the physical inbound interface of the packet.
  • The source IP address in the ARP packet is the virtual IP address of the inbound interface but the source MAC address in the ARP packet is not the virtual MAC address of the VRRP group.
The device generates an ARP anti-collision entry and discards the received packets with the same source MAC address and VLAN ID in a specified period. This function prevents ARP packets with the bogus gateway address from being broadcast in a VLAN.

Precautions

A maximum of 100 ARP anti-attack entries exist on the device at the same time. When the maximum number is exceeded, the device cannot prevent new ARP gateway collision attacks.

Example

# Enable ARP gateway anti-collision.

<HUAWEI> system-view
[HUAWEI] arp anti-attack gateway-duplicate enable

arp anti-attack gratuitous-arp drop

Function

The arp anti-attack gratuitous-arp drop command enables gratuitous ARP packet discarding.

The undo arp anti-attack gratuitous-arp drop command disables gratuitous ARP packet discarding.

By default, gratuitous ARP packet discarding is disabled.

Format

arp anti-attack gratuitous-arp drop

undo arp anti-attack gratuitous-arp drop

Parameters

None

Views

System view, VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A host can send gratuitous ARP packets without any authorization, so any host can send gratuitous ARP packets, causing the following problems:
  • If a large number of gratuitous ARP packets are broadcast on the network, network devices cannot process valid ARP packets due to CPU overload.
  • If a device processes bogus gratuitous ARP packets, ARP entries are updated incorrectly, leading to communication interruptions.

To solve the preceding problems, enable gratuitous ARP packet discarding using the arp anti-attack gratuitous-arp drop command on the gateway.

Precautions

If you enable gratuitous ARP packet discarding globally, this function takes effect on all interfaces. If you enable gratuitous ARP packet discarding on a VLANIF interface, this function takes effect on the specified VLANIF interface.

Example

# Enable gratuitous ARP packet discarding globally.

<HUAWEI> system-view
[HUAWEI] arp anti-attack gratuitous-arp drop

# Enable gratuitous ARP packet discarding on VLANIF 10.

<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp anti-attack gratuitous-arp drop

arp anti-attack log-trap-timer

Function

The arp anti-attack log-trap-timer command sets the interval for sending ARP alarms.

The undo arp anti-attack log-trap-timer command restores the default setting.

The default interval for sending alarms is 0, indicating that the device does not send ARP alarms.

Format

arp anti-attack log-trap-timer time

undo arp anti-attack log-trap-timer

Parameters

Parameter Description Value
time Specifies the interval for sending ARP alarms. The value is an integer that ranges from 0 to 1200, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limiting on ARP packets based on source IP addresses is enabled, if the number of ARP packets the device receives per second exceeds the limit, the device discards the excess ARP packets. The device considers the excess ARP packets as potential attacks. The device sends ARP alarms indicating potential attacks to the NMS. To avoid excessive alarms when ARP attacks occur, reduce the alarm quantity by setting a proper interval for sending alarms.

Precautions

In the insecure environment, you are advised to extend the interval for sending ARP alarms. This prevents excessive ARP alarms. In the secure environment, you are advised to shorten the interval for sending ARP alarms. This facilitates fault rectification in real time.

After the interval is set, the device discards alarms generates in this interval; therefore, some faults cannot be rectified in real time.

The command takes effect only on the alarm for ARP rate limit based on source IP addresses (corresponding to arp speed-limit source-ip). The other ARP alarms are generated at a fixed interval of 5 seconds.

Example

# Set the interval for sending ARP alarms to 20 seconds.

<HUAWEI> system-view
[HUAWEI] arp anti-attack log-trap-timer 20

arp anti-attack packet-check

Function

The arp anti-attack packet-check command enables ARP packet validity check and specifies check items.

The undo arp anti-attack packet-check command disables ARP packet validity check.

By default, ARP packet validity check is disabled.

Format

arp anti-attack packet-check { ip | dst-mac | sender-mac } *

undo arp anti-attack packet-check [ ip | dst-mac | sender-mac ] *

Parameters

Parameter Description Value
ip Indicates ARP packet validity check based on the IP address. -
dst-mac Indicates ARP packet validity check based on the destination MAC address. -
sender-mac Indicates ARP packet validity check based on the source MAC address. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To avoid ARP attacks, you can use the arp anti-attack packet-check command to enable ARP packet validity check on an access device or a gateway to filters out ARP packets with invalid IP addresses or MAC addresses. The device checks validity of an ARP packet based on each or any combination of the following items:

  • Source and destination IP addresses: The device checks the source and destination IP addresses in an ARP packet. If the source or destination IP address is all 0s, all 1s, or a multicast IP address, the device discards the packet as an invalid packet. The device checks both the source and destination IP addresses in an ARP Reply packet but checks only the source IP address in an ARP Request packet.

  • Source MAC address: The device compares the source MAC address in an ARP packet with that in the Ethernet frame header. If they are the same, the packet is valid. If they are different, the device discards the packet.

  • Destination MAC address: The device compares the destination MAC address in an ARP packet with that in the Ethernet frame header. If they are the same, the packet is valid. If they are different, the device discards the packet.

Precautions

Generally, packets with different source and destination MAC addresses in the ARP packet and Ethernet frame header are allowed by the ARP protocol. When an attack occurs, capture and analyze packets. If the attack is initiated by using inconsistent source or destination MAC addresses in the ARP packet and Ethernet frame header, enable ARP packet validity check based on the source or destination MAC address.

If you run the arp anti-attack packet-check sender-mac command multiple times, all the check items specified in these commands take effect.

Example

# Enable ARP packet validity check and configures the device to check the source MAC address in an ARP packet.

<HUAWEI> system-view
[HUAWEI] arp anti-attack packet-check sender-mac

arp anti-attack rate-limit

Function

The arp anti-attack rate-limit command sets the maximum rate and rate limiting duration of ARP packets globally, in a VLAN, or on an interface, and enables the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limit on an interface.

The undo arp anti-attack rate-limit command restores the default maximum rate and rate limiting duration of ARP packets globally, in a VLAN, or on an interface, and allows the device to send ARP packets to the CPU again.

By default, a maximum of 100 ARP packets are allowed to pass per second, and the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limit is disabled.

Format

System view, VLAN view

arp anti-attack rate-limit packet packet-number [ interval interval-value ]

undo arp anti-attack rate-limit

Interface view

arp anti-attack rate-limit packet packet-number [ interval interval-value | block-timer timer ] *

undo arp anti-attack rate-limit

Parameters

Parameter

Description

Value

packet packet-number

Specifies the maximum rate of sending ARP packets, that is, the number of ARP packets allowed to pass through in the rate limiting duration.

The value is an integer that ranges from 1 to 16384. The default value is 100.

interval interval-value

Specifies the rate limiting duration of ARP packets.

The value is an integer that ranges from 1 to 86400, in seconds. The default value is 1 second.

block-timer timer

Specifies the duration for blocking ARP packets.

The value is an integer that ranges from 5 to 864000, in seconds.

Views

System view, VLAN view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP packets is enabled, run the arp anti-attack rate-limit command to set the maximum rate and rate limiting duration of ARP packets globally, in a VLAN, or on an interface. In the rate limiting duration, if the number of received ARP packets exceeds the limit, the device discards the excess ARP packets.

If the parameter block-timer timer is specified, the device discards all ARP packets received in the duration specified by timer.

Prerequisites

Rate limit on ARP packets has been enabled globally, in a VLAN, or on an interface using the arp anti-attack rate-limit enable command.

Precautions

If the maximum rate and rate limiting duration are configured in the system view, VLAN view, and interface view at the same time, the device uses the configurations in the interface view, VLAN view, and system view in order.

This command can be configured on a maximum of 32 interfaces.

NOTE:

The arp anti-attack rate-limit command takes effect only on ARP packets sent to the CPU for processing in none-block mode, and does not affect ARP packet forwarding by the chip. In block mode, the device discards subsequent ARP packets on an interface only when the number of ARP packets sent to the CPU exceeds the limit.

Example

# Configure Layer 2 interface GE1/0/1 to allow 200 ARP packets to pass through in 10 seconds, and configure GE1/0/1 to discard all ARP packets in 60 seconds when the number of ARP packets exceeds the limit.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60
# Configure Layer 3 interface GE1/0/1 to allow 200 ARP packets to pass through in 10 seconds, and configure GE1/0/1 to discard all ARP packets in 60 seconds when the number of ARP packets exceeds the limit.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60

arp anti-attack rate-limit alarm enable

Function

The arp anti-attack rate-limit alarm enable command enables the alarm function for ARP packets discarded when the rate of ARP packets exceeds the limit.

The undo arp anti-attack rate-limit alarm enable command disables the alarm function for ARP packets discarded when the rate of ARP packets exceeds the limit.

By default, the alarm function for ARP packets discarded when the rate of ARP packets exceeds the limit is disabled.

Format

arp anti-attack rate-limit alarm enable

undo arp anti-attack rate-limit alarm enable

Parameters

None

Views

System view, VLAN view, GE interface view, 40GE interface view, XGE interface view, 100GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP packets is enabled, if you want the device to generate alarms for excessive discarded ARP packets, run the arp anti-attack rate-limit alarm enable command. When the number of discarded ARP packets exceeds the alarm threshold, the device generates an alarm.

You can set the alarm threshold using the arp anti-attack rate-limit alarm threshold command.

Prerequisites

Rate limit on ARP packets has been enabled using the arp anti-attack rate-limit enable command.

Example

# Enable rate limit on ARP packets globally and enable the alarm function.

<HUAWEI> system-view
[HUAWEI] arp anti-attack rate-limit enable
[HUAWEI] arp anti-attack rate-limit alarm enable

# Enable rate limit for the ARP packets on Layer 2 interface GE1/0/1 and enable the alarm function.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit alarm enable
# Enable rate limit for the ARP packets on Layer 3 interface GE1/0/1 and enable the alarm function.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit alarm enable

arp anti-attack rate-limit alarm threshold

Function

The arp anti-attack rate-limit alarm threshold command sets the alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit.

The undo arp anti-attack rate-limit alarm threshold command restores the default alarm threshold.

By default, the alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit is 100.

Format

arp anti-attack rate-limit alarm threshold threshold

undo arp anti-attack rate-limit alarm threshold

Parameters

Parameter Description Value
threshold Specifies the alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit. The value is an integer that ranges from 1 to 16384.

Views

System view, VLAN view, GE interface view, 40GE interface view, XGE interface view, 100GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can use the arp anti-attack rate-limit alarm threshold command to set the alarm threshold. When the number of discarded ARP packets exceeds the alarm threshold, the device generates an alarm.

Prerequisites

Rate limit on ARP packets has been enabled using the arp anti-attack rate-limit enable command, and the alarm function has been enabled using the arp anti-attack rate-limit alarm enable command.

Example

# Enable rate limit on ARP packets globally, enable the alarm function, and set the alarm threshold to 50.

<HUAWEI> system-view
[HUAWEI] arp anti-attack rate-limit enable
[HUAWEI] arp anti-attack rate-limit alarm enable
[HUAWEI] arp anti-attack rate-limit alarm threshold 50

# Enable rate limit for the ARP packets on Layer 2 interface GE1/0/1, enable the alarm function, and set the alarm threshold to 50.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit alarm enable
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit alarm threshold 50
# Enable rate limit for the ARP packets on Layer 3 interface GE1/0/1, enable the alarm function, and set the alarm threshold to 50.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit alarm enable
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit alarm threshold 50

arp anti-attack rate-limit enable

Function

The arp anti-attack rate-limit enable command enables rate limit on ARP packets.

The undo arp anti-attack rate-limit enable command disables rate limit on ARP packets.

By default, rate limiting on ARP packets is disabled.

Format

arp anti-attack rate-limit enable

undo arp anti-attack rate-limit enable

Parameters

None

Views

System view, VLAN view, GE interface view, 40GE interface view, XGE interface view, 100GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

The device has no sufficient CPU resource to process other services when processing a large number of ARP packets. To protect CPU resources of the device, limit the rate of ARP packets.

You can run the arp anti-attack rate-limit enable command to enable rate limit on ARP packets. When the rate of ARP packets exceeds the limit, excess ARP packets are discarded. To set the rate limit and rate limiting duration of ARP packets, run the arp anti-attack rate-limit command.

After the optimized ARP reply function (disabled by default) is enabled using the undo arp optimized-reply disable command, rate limiting on ARP packets globally, in a VLAN, or on an Interface does not take effect.

Example

# Enable rate limit on ARP packets globally.

<HUAWEI> system-view
[HUAWEI] arp anti-attack rate-limit enable

# Enable rate limit for the ARP packets on Layer 2 interface GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit enable
# Enable rate limit for the ARP packets on Layer 3 interface GE1/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit enable

arp gratuitous-arp send enable

Function

The arp gratuitous-arp send enable command enables gratuitous ARP packet sending.

The undo arp gratuitous-arp send enable command disables gratuitous ARP packet sending.

By default, gratuitous ARP packet sending is disabled.

Format

arp gratuitous-arp send enable

undo arp gratuitous-arp send enable

Parameters

None

Views

System view, VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an attacker forges the gateway address to send ARP packets to other user hosts, ARP entries on the hosts record the incorrect gateway address. As a result, the gateway cannot receive data sent from the hosts. You can enable gratuitous ARP packet sending on the gateway. Then the gateway sends gratuitous ARP packets at intervals to update the ARP entries of authorized users so that the ARP entries contain the correct MAC address of the gateway.

By default, the device sends a gratuitous ARP packet every 30 seconds after this function is enabled. You can also set the interval using the arp gratuitous-arp send interval command.

Precautions

After you run the arp gratuitous-arp send enable command in the system view, gratuitous ARP packet sending is enabled on all VLANIF interfaces.

After you run the undo arp gratuitous-arp send enable command in the system view, gratuitous ARP packet sending is disabled on all VLANIF interfaces.

Example

# Enable gratuitous ARP packet sending on VLANIF 10.

<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp gratuitous-arp send enable

arp gratuitous-arp send interval

Function

The arp gratuitous-arp send interval command sets the interval for sending gratuitous ARP packets.

The undo arp gratuitous-arp send interval command restores the default interval for sending gratuitous ARP packets.

By default, the interval for sending gratuitous ARP packets is 30 seconds.

Format

arp gratuitous-arp send interval interval-time

undo arp gratuitous-arp send interval

Parameters

Parameter

Description

Value

interval-time

Specifies the interval for sending gratuitous ARP packets.

The value is an integer that ranges from 1 to 86400, in seconds.

Views

System view, VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the device sends a gratuitous ARP packet every 30 seconds after gratuitous ARP sending is enabled. You can set the interval for sending gratuitous ARP packets using the arp gratuitous-arp send interval command.

If you set the interval in the system view, the configuration takes effect on all VLANIF interfaces. If you set the interval in both the system view and VLANIF interface view, the configuration on the VLANIF interface takes precedence over the global configuration.

Prerequisites

Gratuitous ARP packet sending has been enabled using the arp gratuitous-arp send enable command.

Example

# Set the interval for sending gratuitous ARP packets to 100 seconds on VLANIF 10.

<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp gratuitous-arp send enable
[HUAWEI-Vlanif10] arp gratuitous-arp send interval 100

arp learning dhcp-trigger

Function

The arp learning dhcp-trigger command enables ARP learning triggered by DHCP.

The undo arp learning dhcp-trigger command disables ARP learning triggered by DHCP.

By default, ARP learning triggered by DHCP is disabled.

Format

arp learning dhcp-trigger

undo arp learning dhcp-trigger

Parameters

None

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When many DHCP users connect to a network device, the device needs to learn and maintain many ARP entries. This affects device performance.

To address this issue, configure ARP learning triggered by DHCP on the gateway. When the DHCP server allocates an IP address for a user, the gateway generates an ARP entry for the user based on the DHCP ACK packet received on the VLANIF interface.

Precautions

Before using this command, ensure that DHCP is enabled using the dhcp enable command.

When both VRRP and DHCP relay are configured on the network, neither the dhcp snooping enable command nor the arp learning dhcp-trigger command can be configured on the VRRP master and backup devices.

Example

# Enable ARP learning triggered by DHCP on VLANIF 100.

<HUAWEI> system-view
[HUAWEI] vlan batch 100
[HUAWEI] dhcp enable
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp learning dhcp-trigger
Related Topics

arp learning disable

Function

The arp learning disable command disables an interface from learning dynamic ARP entries.

The undo arp learning disable command enables an interface to learn dynamic ARP entries.

By default, an interface is enabled to learn dynamic ARP entries.

Format

arp learning disable

undo arp learning disable

Parameters

None

Views

VLANIF interface view, VBDIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To ensure security and facilitate management, you can enable an interface to learn or disable an interface from learning dynamic ARP entries. You can also use the arp learning strict (system view) or arp learning strict (interface view) commands to strictly control ARP entry learning on an interface.

Precautions

If an interface is disabled from learning ARP entries, the network will be interrupted.

If an interface has learned some dynamic ARP entries, the system does not delete these entries after the interface is disabled from learning dynamic ARP entries. You can manually delete or reserve these learned dynamic ARP entries (deleted by the reset arp command).

Example

# Disable VLANIF10 from learning dynamic ARP entries.

<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp learning disable

arp learning strict (interface view)

Function

The arp learning strict command enables strict ARP learning on the interface.

The undo arp learning strict command restores the global configuration on the interface.

By default, strict ARP learning is disabled on the interface.

Format

arp learning strict { force-enable | force-disable | trust }

undo arp learning strict

Parameters

Parameter Description Value
force-enable Indicates that strict ARP learning is enabled. -
force-disable Indicates that strict ARP learning is disabled. -
trust Indicates that the configuration of strict ARP learning is the same as the global configuration.
NOTE:

The effect of the trust parameter is the same as the effect of the undo arp learning strict command.

-

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If many user hosts send a large number of ARP packets to a device simultaneously, or attackers send bogus ARP packets to the device, the following problems occur:
  • Processing ARP packets consumes many CPU resources. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.
  • After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a result, authorized users cannot communicate with each other.

To avoid the preceding problems, enable strict ARP learning on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself, but does not allow the device to learn the ARP entries for the ARP packets received from other devices. In this way, the device can defend against most ARP attacks.

Prerequisites

On an Ethernet interface works in Layer 2 mode. you need run undo portswitch, switch the interface to Layer 3 mode.

Precautions

The configuration on an interface takes precedence over the global configuration.

When ARP attacks occur on many interfaces of the device, you can run the arp learning strict (system view) command to enable strict ARP learning globally.

Example

# Enable strict ARP learning on VLANIF 100.
<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] quit
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp learning strict force-enable
# Enable strict ARP learning on Layer 3 interface GE1/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] arp learning strict force-enable

arp learning strict (system view)

Function

The arp learning strict command enables strict ARP learning.

The undo arp learning strict command restores the default setting.

By default, strict ARP learning is disabled.

Format

arp learning strict

undo arp learning strict

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If many user hosts send a large number of ARP packets to a device simultaneously, or attackers send bogus ARP packets to the device, the following problems occur:
  • Processing ARP packets consumes many CPU resources. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.
  • After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a result, authorized users cannot communicate with each other.

To avoid the preceding problems, enable strict ARP learning on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. In this way, the device can defend against most ARP attacks.

Precautions

The configuration on an interface takes precedence over the global configuration.

Example

# Enable strict ARP learning.

<HUAWEI> system-view
[HUAWEI] arp learning strict

arp optimized-passby enable

Function

The arp optimized-passby enable command configures the device not to send ARP packets destined for other devices to the CPU.

The undo arp optimized-passby enable command configures the device to send ARP packets destined for other devices to the CPU.

By default, a device does not send ARP packets destined for other devices to the CPU.

Format

arp optimized-passby enable

undo arp optimized-passby enable

NOTE:

Only X series cards support this command.

Parameters

None

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an interface receives a large number of ARP packets whose destination IP addresses are different from the IP address of this interface and sends these ARP packets to the CPU for processing, the CPU usage is high and the CPU cannot process services properly.

To prevent this issue, you can configure the device to directly forward ARP packets destined for other devices without sending them to the CPU. This improves the device's capability of defending against ARP flood attacks.

Precautions

If any of the following configurations is performed, the configuration of disabling the device from sending ARP packets destined for other devices to the CPU does not take effect on a VLANIF interface:

Example

# Configure the device to send ARP packets destined for other devices to the CPU.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] undo arp optimized-passby enable

arp optimized-reply disable

Function

The arp optimized-reply disable command disables the optimized ARP reply function.

The undo arp optimized-reply disable command enables the optimized ARP reply function.

By default, the optimized ARP reply function is enabled.

Format

arp optimized-reply disable

undo arp optimized-reply disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A gateway may receive a large number of ARP Request packets that ask the device to reply with its local interface MAC address. If all these ARP Request packets are sent to the control board for processing, the CPU is busy with these ARP Request packets and cannot process other services.

To address the preceding problem, enable optimized ARP reply, which improves the switch's capability of defending against ARP flood attacks. After this function is enabled, the switch performs the following operations:
  • When receiving an ARP Request packet of which the destination IP address is the local interface address, the LPU directly returns an ARP Reply packet.
  • When a switch receives an ARP Request packet of which the destination IP address is not the local interface address and intra-VLAN proxy ARP is enabled on the switch, the LPU checks whether the ARP Request packet meets the proxy condition. If so, the LPU returns an ARP Reply packet. If not, the LPU discards the packet.
The optimized ARP reply function is applicable to the device with multiple LPUs configured.
By default, the optimized ARP reply function is enabled. After a device receives an ARP Request packet, the device checks whether an ARP entry corresponding to the source IP address of the ARP Request packet exists.
  • If there is a corresponding ARP entry, the switch performs optimized ARP reply to this ARP Request packet.
  • If there is no corresponding ARP entry, the switch does not perform optimized ARP reply to this ARP Request packet.

Precautions

  • The optimized ARP reply function does not take effect for ARP Request packets with double VLAN tags.
  • The optimized ARP reply function takes effect for ARP Request packets sent by wireless users.
  • The optimized ARP reply function takes effect only for the ARP Request packets received by VLANIF interfaces, VBDIF interfaces, Eth-Trunk sub-interfaces, and physical sub-interfaces. The optimized ARP reply function does not take effect for the ARP Request packets sent from the VLANIF interfaces of super VLANs and sub VLANs.
  • The optimized ARP reply function does not take effect globally or on interfaces after you run any of the following commands:
  • After the optimized ARP reply function is enabled, the following functions become invalid:

Example

# Disable the optimized ARP reply function.

<HUAWEI> system-view
[HUAWEI] arp optimized-reply disable

arp over-vpls enable

Function

The arp over-vpls enable command enables ARP proxy on a device of a VPLS network.

The undo arp over-vpls enable command disables ARP proxy on a device of a VPLS network.

By default, ARP proxy is disabled on a device of a VPLS network.

Format

arp over-vpls enable

undo arp over-vpls enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent bogus ARP packets at the PW side from being broadcast to the AC side on a VPLS network, enable ARP proxy over VPLS on a PE.

ARP packets at the PW side are sent to the control board for processing.
  • If the ARP packets are ARP Request packets and the destination IP addresses in the packets match DHCP snooping binding entries, the device constructs ARP Reply packets based on the DHCP snooping binding entries and sends them to the requester at the PW side.
  • If the ARP packets are not ARP Request packets or the destination IP addresses in the packets match no DHCP snooping binding entry, the device forwards these ARP packets to the destination.

Precautions

Before using this command, ensure that DHCP snooping is enabled using the dhcp snooping over-vpls enable command.

Example

# Enable ARP proxy on a device of a VPLS network.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping over-vpls enable
[HUAWEI] arp over-vpls enable

arp snooping enable

Function

The arp snooping enable command enables ARP snooping.

The undo arp snooping enable command disables ARP snooping.

By default, ARP snooping is disabled on the device.

Format

arp snooping enable

undo arp snooping enable

Parameters

None

Views

System view, VLAN view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

During video network O&M, the NMS needs to obtain the IP addresses and MAC addresses of NEs to draw a network topology for subsequent O&M. For LLDP-incapable NEs, you can configure the ARP snooping function on the access switch. This function enables the device to obtain the IP addresses and MAC addresses of NEs from the ARP packets sent from the NEs, and generate ARP snooping entries.

After ARP snooping is enabled, the device sends the received ARP packets to the CPU. The CPU analyzes the ARP packets to obtain the source IP address, source MAC address, VLAN ID, and inbound interface of the packets, and creates an ARP snooping entry to record user information.

After an ARP snooping entry is created, it ages after 900 seconds by default. An ARP snooping entry is created based on the source IP address and VLAN information of an ARP packet. If no ARP snooping entry matches the source IP address and VLAN information of a received ARP packet, the device creates a new ARP snooping entry. If the source IP address and VLAN information of a received ARP packet are the same as those in an existing ARP snooping entry, the device updates the MAC address and interface information in the entry and resets the aging timer.

Precautions

You must enable ARP snooping in the system view, and then enable ARP snooping in a VLAN or on an interface.

Example

# Enable ARP snooping on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] arp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp snooping enable

# Enable ARP snooping in VLAN 100.

<HUAWEI> system-view
[HUAWEI] arp snooping enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] arp snooping enable

arp speed-limit flood-rate

Function

The arp speed-limit flood-rate command sets the maximum rate of broadcasting ARP Request packets on VLANIF interfaces in all super-VLANs.

The undo arp speed-limit flood-rate command restores the default maximum rate of broadcasting ARP Request packets on VLANIF interfaces in all super-VLANs.

By default, the maximum rate of broadcasting ARP Request packets on VLANIF interfaces in all super-VLANs is 1000 pps.

Format

arp speed-limit flood-rate rate

undo arp speed-limit flood-rate

Parameters

Parameter

Description

Value

rate

Specifies the maximum rate of broadcasting ARP Request packets.

The value is an integer that ranges from 0 to 32768, in pps. The value 0 indicates that the rate of broadcasting ARP packets is not limited.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

A VLANIF interface in a super-VLAN is triggered to learn ARP entries in the following scenarios:

  • The VLANIF interface receives IP packets triggering ARP Miss messages.
  • The VLANIF interface is enabled with ARP proxy and receives ARP packets whose destination IP addresses meet the proxy requirements and match no ARP entry.

The VLANIF interface replicates ARP Request packets in each sub-VLAN when learning ARP entries. If a large number of sub-VLANs are configured for the super-VLAN, the device generates a large number of ARP Request packets. As a result, the CPU is busy processing ARP Request packets, and other services are affected. To prevent this problem, limit the rate of ARP packets on the VLANIF interface of a super-VLAN.

When the CPU is busy processing packets, set the maximum rate of broadcasting ARP Request packets to a small value. When the CPU is idle, set the maximum rate of broadcasting ARP Request packets to a large value to broadcast packets efficiently. You can set the maximum rate of broadcasting ARP Request packets based on the actual network environment.

Example

# Set the maximum rate of broadcasting ARP Request packets on VLANIF interfaces in all super-VLANs to 500 pps.

<HUAWEI> system-view
[HUAWEI] arp speed-limit flood-rate 500

arp speed-limit source-mac

Function

The arp speed-limit source-mac command sets the maximum rate of ARP packets based on source MAC addresses.

The undo arp speed-limit source-mac command restores the default setting.

By default, the maximum rate of ARP packets from each source MAC address is set to 0, that is, the rate of ARP packets is not limited based on source MAC addresses.

Format

arp speed-limit source-mac [ mac-address ] maximum maximum

undo arp speed-limit source-mac [ mac-address ]

Parameters

Parameter Description Value
mac-address

Specifies the source MAC address. If this parameter is specified, the rate of ARP packets from the MAC address is limited.

If this parameter is not specified, the rate of ARP packets from each MAC address is limited.

The value is in the H-H-H format. H is a hexadecimal number of 1 to 4 digits.

maximum maximum

Specifies the maximum rate of ARP packets from a specified MAC address.

The value is an integer that ranges from 0 to 16384, in pps.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When processing a large number of ARP packets with fixed source MAC addresses but variable source IP addresses, the CPU is overloaded and ARP entries are exhausted. To prevent this problem, limit the rate of ARP packets based on source MAC addresses.

After the arp speed-limit source-mac command is run, the device collects statistics on ARP packets from a specified source MAC address. If the number of ARP packets from a specified source IP address per second exceeds the threshold, the device discards the excess ARP packets.

Precautions

Limiting the rate of all ARP packets is not recommended. You are advised to find out the attack source according to packet statistics, and then limit the rate of ARP packets from the specified source MAC address.

If the source MAC address is not specified, the rate of ARP packets from each MAC address is limited. If the rate of ARP packets from each source IP address is set using the arp speed-limit source-ip command at the same time and the rate is the same as that set using the arp speed-limit source-mac command, both commands take effect. When receiving ARP packets from a fixed source, the device limits the rate of these packets based on the maximum rate set by the arp speed-limit source-mac command.

After the optimized ARP reply function (disabled by default) is enabled using the undo arp optimized-reply disable command, rate limiting on ARP packets based on the source MAC address does not take effect.

Example

# Set the maximum rate of ARP packets from any source MAC address to 100 pps.

<HUAWEI> system-view
[HUAWEI] arp speed-limit source-mac maximum 100

# Set the maximum rate of ARP packets from a specified MAC address 0-0-1 to 50 pps.

<HUAWEI> system-view
[HUAWEI] arp speed-limit source-mac 0-0-1 maximum 50

arp speed-limit source-ip

Function

The arp speed-limit source-ip command sets the maximum rate of ARP packets based on the source IP address.

The undo arp speed-limit source-ip command restores the default setting.

By default, the device allows a maximum of 30 ARP packets from the same source IP address to pass through per second.

Format

arp speed-limit source-ip [ ip-address ] maximum maximum

undo arp speed-limit source-ip [ ip-address ]

Parameters

Parameter Description Value
ip-address

Specifies the source IP address. If this parameter is specified, the rate of ARP packets from the IP address is limited.

If this parameter is not specified, the rate of ARP packets from each IP address is limited.

The value is in dotted decimal notation.
maximum maximum

Specifies the maximum rate of ARP packets from a specified source IP address.

NOTE:

If the rate of all ARP packets is limited, a large value is recommended because valid packets may be discarded if the value is small. However, a too large value will deteriorate the system performance. If an IP address initiates attacks, you can set the maximum number of ARP Miss messages triggered by packets from this IP address to a small value.

The value is an integer that ranges from 0 to 16384, in pps. If the value is 0, the rate of ARP packets is not limited based on the source IP address.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When processing a large number of ARP packets with fixed IP addresses (for example, the ARP packets with the same source IP addresses but frequently changing MAC addresses or outbound interfaces), the CPU is overloaded and cannot process other services. To prevent this problem, limit the rate of ARP packets based on the source IP address.

After the arp speed-limit source-ip command is run, the device collects statistics on ARP packets based on the source IP address. If the number of ARP packets from a specified source IP address per second exceeds the threshold, the device discards the excess ARP packets.

Precautions

Limiting the rate of all ARP packets is not recommended. You are advised to find out the attack source according to packet statistics, and then limit the rate of ARP packets from the specified source IP address.

When you confirm that the network is secure, set the rate limit to 0 to increase ARP learning speed. After the rate limit is set to 0, the device does not limit the ARP packet rate based on source IP addresses.

If the source IP address is not specified, the rate of ARP packets from each IP address is limited. If the rate of ARP packets from each source MAC address is set using the arp speed-limit source-mac command at the same time and the rate is the same as that set using the arp speed-limit source-ip command, both commands take effect. When receiving ARP packets from a fixed source, the device limits the rate of these packets based on the maximum rate set by the arp speed-limit source-mac command.

After the optimized ARP reply function (disabled by default) is enabled using the undo arp optimized-reply disable command, rate limiting on ARP packets based on the source IP address does not take effect.

Example

# Set the maximum rate of ARP packets from a source IP address to 100 pps.

<HUAWEI> system-view
[HUAWEI] arp speed-limit source-ip maximum 100

# Set the maximum rate of ARP packets from a specified IP address 10.0.0.1 to 50 pps.

<HUAWEI> system-view
[HUAWEI] arp speed-limit source-ip 10.0.0.1 maximum 50

arp validate (interface view)

Function

The arp validate command enables MAC address consistency check in an ARP packet on an interface. This function compares the source and destination MAC addresses in ARP packets with those in the Ethernet frame header.

The undo arp validate command disables MAC address consistency check in an ARP packet on an interface.

By default, MAC address consistency check in an ARP packet is disabled.

Format

arp validate { source-mac | destination-mac } *

undo arp validate { source-mac | destination-mac } *

Parameters

Parameter Description Value
source-mac Indicates that the device compares the source MAC address in a received ARP packet with that in the Ethernet frame header. -
destination-mac Indicates that the device compares the destination MAC address in a received ARP packet with that in the Ethernet frame header. -

Views

GE interface view, 40GE interface view, XGE interface view, 100GE interface view, port group view, Eth-Trunk interface view, VE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The MAC address consistency check function for ARP packets prevents attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header. This function is usually configured on gateways.

After the arp validate command is run, the gateway checks the MAC address consistency in an ARP packet before ARP learning. If the source and destination MAC addresses in an ARP packet are different from those in the Ethernet frame header, the device discards the packet as an attack. If the source and destination MAC addresses in an ARP packet are the same as those in the Ethernet frame header, the device performs ARP learning.

When using this command, note the following points:
  • If source-mac is specified:
    • When receiving an ARP Request packet, the device checks only the source MAC address consistency.
    • When receiving an ARP Reply packet, the device checks only the source MAC address consistency.
  • If destination-mac is specified:
    • When receiving an ARP Request packet, the device does not check the destination MAC address consistency because the ARP Request packet is broadcast.

    • When receiving an ARP Reply packet, the device checks the destination MAC address consistency.
  • If source-mac and destination-mac are specified:
    • When receiving an ARP Request packet, the device checks only the source MAC address consistency.
    • When receiving an ARP Reply packet, the device checks the source and destination MAC address consistency.

Precautions

Sub-interfaces do not support the arp validate command. When receiving ARP packets, a sub-interface checks MAC address consistency based on the rule configured on the primary interface.

Example

# Enable MAC address consistency check in an ARP packet on Layer 2 interface GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp validate source-mac destination-mac
# Enable MAC address consistency check in an ARP packet on Layer 3 interface GE1/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] arp validate source-mac destination-mac

arp-fake expire-time

Function

The arp-fake expire-time command sets the aging time of temporary ARP entries.

The undo arp-fake expire-time command restores the default aging time of temporary ARP entries.

By default, the aging time of temporary ARP entries is 3 seconds.

Format

arp-fake expire-time expire-time

undo arp-fake expire-time

Parameters

Parameter Description Value
expire-time Specifies the aging time of temporary ARP entries. The value is an integer that ranges from 1 to 36000, in seconds.

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, VLANIF interface view, VBDIF interface view, VE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network.
  • In the aging time of temporary ARP entries:
    • Before receiving an ARP reply packet, the device discards the IP packets matching the temporary ARP entry and does not generate ARP Miss messages.
    • After receiving an ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
  • When temporary ARP entries age out, the device clears them. If no ARP entry matches the IP packets forwarded by the device, ARP Miss messages and temporary ARP entries are repeatedly generated

When a device undergoes an ARP Miss attack, you can run the arp-fake expire-time command to extend the aging time of temporary ARP entries to reduce the frequency of triggering ARP Miss messages and minimize the impact on the device.

Example

# Set the aging time of temporary ARP entries to 10 seconds on VLANIF10.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp-fake expire-time 10
# Set the aging time of temporary ARP entries to 10 seconds on Layer 3 interface GE1/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] arp-fake expire-time 10

arp-limit

Function

The arp-limit command sets the maximum number of ARP entries that an interface can dynamically learn.

The undo arp-limit command deletes the maximum number of ARP entries that an interface can dynamically learn.

By default, the maximum number of ARP entries that an interface can dynamically learn is the same as the number of ARP entries supported by the device.

Format

VLANIF interface, VBDIF interface, VE sub-interface, Layer 3 interface, and Ethernet sub-interface:

arp-limit maximum maximum

undo arp-limit

VE sub-interface, Layer 2 interface and port group:

arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum maximum

undo arp-limit vlan vlan-id1 [ to vlan-id2 ]

Parameters

Parameter

Description

Value

vlan vlan-id1 [ to vlan-id2 ]

Specifies the ID of a VLAN from which the maximum number of ARP entries an interface can dynamically learn is limited.

  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1. vlan-id1 and vlan-id2 specify a range of VLANs. If to vlan-id2 is not specified, the device limits the maximum number of ARP entries an interface dynamically learns from the VLAN vlan-id1. If to vlan-id2 is specified, the device limits the maximum number of ARP entries an interface dynamically learns from each VLAN from vlan-id1 to vlan-id2.
The values of vlan-id1 and vlan-id2 are integers that range from 1 to 4094.
maximum maximum Specifies the maximum number of ARP entries that an interface can dynamically learn. The value is an integer that ranges from 1 to 16384.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent ARP entries from being exhausted by ARP attacks from a host connecting to an interface on the device, set the maximum number of ARP entries that the interface can dynamically learn. When the number of the ARP entries learned by a specified interface reaches the maximum number, no dynamic ARP entry can be added.

Precautions

If the number of ARP entries learned by an interface exceeds the maximum number, the device neither learns new ARP entries nor clears the learned ARP entries. Instead, the device asks users to delete the excess ARP entries.

If the arp-limit vlan vlan-id1 to vlan-id2 maximum maximum command is run more than once, the following situations are available:
  • If maximum maximum is the same in multiple command instances, all configurations take effect. For example, if the arp-limit vlan 10 to 30 maximum 200 command and then the arp-limit vlan 35 to 40 maximum 200 command are run, both configurations take effect. If the VLAN ranges specified in multiple command instances are overlapping, the system automatically merges the VLAN ranges. For example, if the arp-limit vlan 50 to 80 maximum 200 command and then the arp-limit vlan 70 to 100 maximum 200 command are run, both configurations take effect, and the system merges the configurations into arp-limit vlan 50 to 100 maximum 200.
  • If maximum maximum is different in multiple command instances, the latest configuration overrides the previous one for the same VLAN range. For example, if the arp-limit vlan 10 to 30 maximum 200 command and then the arp-limit vlan 15 to 25 maximum 300 command are run, the system automatically divides the configurations into arp-limit vlan 10 to 14 maximum 200, arp-limit vlan 15 to 25 maximum 300, and arp-limit vlan 26 to 30 maximum 200.

Example

# Configure that VLANIF 10 can dynamically learn a maximum of 20 ARP entries.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp-limit maximum 20
# Configure that Layer 3 interface GE1/0/1 can dynamically learn a maximum of 20 ARP entries.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] arp-limit maximum 20
# Configure that Layer 2 interface GE1/0/1 can dynamically learn a maximum of 20 ARP entries corresponding to VLAN 10.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp-limit vlan 10 maximum 20
Related Topics

arp-miss anti-attack rate-limit

Function

The arp-miss anti-attack rate-limit command sets the maximum rate and rate limiting duration of ARP Miss messages globally, in a VLAN, or on an interface.

The undo arp-miss anti-attack rate-limit command restores the default maximum rate and rate limiting duration of ARP Miss messages globally, in a VLAN, or on an interface.

By default, the device can process a maximum of 100 ARP Miss messages per second.

Format

arp-miss anti-attack rate-limit packet packet-number [ interval interval-value ]

undo arp-miss anti-attack rate-limit

Parameters

Parameter

Description

Value

packet packet-number

Specifies the maximum rate of ARP Miss messages, that is, the number of ARP Miss messages the device processes in the rate limiting duration.

The value is an integer that ranges from 1 to 16384. The default value is 100.

interval interval-value

Specifies the rate limiting duration of ARP Miss messages.

The value is an integer that ranges from 1 to 86400, in seconds. The default value is 1 second.

Views

System view, VLAN view, GE interface view, 40GE interface view, XGE interface view, 100GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP Miss messages is enabled, you can set maximum rate and rate limiting duration of ARP Miss messages globally, in a VLAN, or on an interface. If the number of ARP Miss messages triggered by IP packets in the rate limiting duration exceeds the limit, the device does not process the excess ARP Miss packets and discards the IP packets triggering the excess ARP Miss messages.

Prerequisites

Rate limit on ARP Miss messages has been enabled globally, in a VLAN, or on an interface using the arp-miss anti-attack rate-limit enable command.

Precautions

If rate limit on ARP Miss messages is configured in the system view, VLAN view, and interface view, the device uses the configurations in the interface view, VLAN view, and system view in order.

Example

# Configure the device to process a maximum of 200 ARP Miss messages triggered by IP packets from Layer 2 interface GE1/0/1 in 10 seconds.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit packet 200 interval 10
# Configure the device to process a maximum of 200 ARP Miss messages triggered by IP packets from Layer 3 interface GE1/0/1 in 10 seconds.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit packet 200 interval 10

arp-miss anti-attack rate-limit alarm enable

Function

The arp-miss anti-attack rate-limit alarm enable command enables the alarm function for ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit.

The undo arp-miss anti-attack rate-limit alarm enable command disables the alarm function for ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit.

By default, the alarm function is disabled.

Format

arp-miss anti-attack rate-limit alarm enable

undo arp-miss anti-attack rate-limit alarm enable

Parameters

None

Views

System view, VLAN view, GE interface view, 40GE interface view, XGE interface view, 100GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP Miss messages is enabled, if you want that the device can generate alarms to notify the network administrator of a large number of discarded excess ARP Miss messages, run the arp-miss anti-attack rate-limit alarm enable command. When the number of discarded ARP Miss packets exceeds the alarm threshold, the device generates an alarm.

You can set the alarm threshold using the arp-miss anti-attack rate-limit alarm threshold command.

Prerequisites

Rate limit on ARP Miss messages has been enabled using the arp-miss anti-attack rate-limit enable command.

Example

# Enable the alarm function for ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit on Layer 2 interface GE1/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit alarm enable
# Enable the alarm function for ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit on Layer 3 interface GE1/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit alarm enable

arp-miss anti-attack rate-limit alarm threshold

Function

The arp-miss anti-attack rate-limit alarm threshold command sets the alarm threshold for ARP Miss messages discarded when the rate of ARP Miss packets exceeds the limit.

The undo arp-miss anti-attack rate-limit alarm threshold command restores the default alarm threshold.

By default, the alarm threshold for ARP Miss packets discarded is 100.

Format

arp-miss anti-attack rate-limit alarm threshold threshold

undo arp-miss anti-attack rate-limit alarm threshold

Parameters

Parameter

Description

Value

threshold

Specifies the alarm threshold for ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit.

The value is an integer that ranges from 1 to 16384, in pps.

Views

System view, VLAN view, GE interface view, 40GE interface view, XGE interface view, 100GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can use the arp-miss anti-attack rate-limit alarm threshold command to set the alarm threshold. When the number of discarded ARP Miss packets exceeds the alarm threshold, the device generates an alarm.

Prerequisites

Rate limit on ARP Miss messages has been enabled using the arp-miss anti-attack rate-limit enable command, and the alarm function has been enabled using the arp-miss anti-attack rate-limit alarm enable command.

Example

# Enable rate limit on ARP Miss messages globally, enable the alarm function, and set the alarm threshold to 200.

<HUAWEI> system-view
[HUAWEI] arp-miss anti-attack rate-limit enable
[HUAWEI] arp-miss anti-attack rate-limit alarm enable
[HUAWEI] arp-miss anti-attack rate-limit alarm threshold 200

# Enable rate limit on ARP Miss messages on Layer 2 interface GE1/0/1, enable the alarm function, and set the alarm threshold to 200.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit alarm enable
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit alarm threshold 200
# Enable rate limit on ARP Miss messages on Layer 3 interface GE1/0/1, enable the alarm function, and set the alarm threshold to 200.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit alarm enable
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit alarm threshold 200

arp-miss anti-attack rate-limit enable

Function

The arp-miss anti-attack rate-limit enable command enables rate limit on ARP Miss messages globally, in a VLAN, or on an interface.

The undo arp-miss anti-attack rate-limit enable command disables rate limit on ARP Miss messages globally, in a VLAN, or on an interface.

By default, rate limit on ARP Miss messages is disabled globally, in a VLAN, or on an interface.

Format

arp-miss anti-attack rate-limit enable

undo arp-miss anti-attack rate-limit enable

Parameters

None

Views

System view, VLAN view, GE interface view, 40GE interface view, XGE interface view, 100GE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device, that is, if the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route, the device triggers a large number of ARP Miss messages. IP packets triggering ARP Miss messages are sent to the CPU for processing. The device generates a large number of temporary ARP entries and sends many ARP Request packets to the network, consuming a large number of CPU and bandwidth resources.

To avoid the preceding problems, configure rate limit on ARP Miss messages globally, in a VLAN, or on an interface. The device collects statistics on ARP Miss messages. If the number of ARP Miss messages generated within the rate limiting duration exceeds the threshold (the maximum number of ARP Miss messages), the gateway discards the IP packets triggering the excess ARP Miss messages.

Follow-up Procedure

Run the arp-miss anti-attack rate-limit command to set the maximum rate and rate limiting duration of ARP Miss messages.

Example

# Enable rate limit on ARP Miss messages on Layer 2 interface GE1/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit enable
# Enable rate limit on ARP Miss messages on Layer 3 interface GE1/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit enable

arp-miss speed-limit source-ip

Function

The arp-miss speed-limit source-ip command sets the maximum number of ARP Miss messages based on source IP addresses and specifies the mode for processing ARP Miss packets.

The undo arp-miss speed-limit source-ip command restores the default setting.

By default, the device processes a maximum of 30 ARP Miss messages triggered by IP packets from the same source IP address per second.

If the number of ARP Miss messages triggered by IP packets from the same source IP address per second exceeds the limit, the device discards the excess ARP Miss messages, that is, the device discards the excess ARP Miss packets. The device then uses the block mode to discard all ARP Miss packets from the source IP address within 5 minutes by default.

Format

arp-miss speed-limit source-ip ip-address [ mask mask ] maximum maximum [ none-block | block timer timer ]

arp-miss speed-limit source-ip maximum maximum

undo arp-miss speed-limit source-ip [ ip-address [ mask mask ] ]

Parameters

Parameter Description Value
ip-address

Specifies the source IP address. If this parameter is specified, the maximum number of ARP Miss messages triggered by packets from this IP address is limited.

If this parameter is not specified, the maximum number of ARP Miss messages triggered by packets from each IP address is limited.

The value is in dotted decimal notation.
mask mask

Specifies the mask of the IP address. If this parameter is specified, the maximum number of ARP Miss messages triggered by packets from IP addresses in the network segment is limited.

The value is an integer that ranges from 1 to 32.
maximum maximum

Specifies the maximum number of ARP Miss messages based on the source IP address.

NOTE:

If the maximum number of ARP Miss messages triggered by packets from each IP address is limited, a large value is recommended for this parameter because a small value may cause discarding of valid packets. However, a too large value will deteriorate the system performance.

If an IP address initiates attacks, you can set the maximum number of ARP Miss messages triggered by packets from this IP address to a small value.

The value is an integer that ranges from 0 to 16384.

If the value is 0, the maximum number of ARP Miss messages is not limited based on the source IP address.
none-block

Indicates that ARP Miss packets are processed in none-block mode. If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the CPU of the device discards the excess ARP Miss messages, that is, the CPU discards the excess ARP Miss packets.

-
block timer timer

Indicates that ARP Miss packets are processed in block mode. If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the device discards the excess ARP Miss messages and delivers an ACL to enable the chip to discard all packets that are sent from this source IP address within the period specified by timer. When the period specified by timer expires, the ACL ages out and the chip does not discard ARP Miss packets from the source IP address and sends them to the CPU for processing.

The value ranges from 5 to 864000, in seconds. The default value is 5 seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the device considers that an attack is initiated from the source IP address. If the ARP Miss message processing mode is set to block, the device discards excess ARP Miss packets from this source IP address and delivers an ACL to discard all subsequent packets sent from this source IP address. If the ARP Miss message processing mode is set to none-block, the device only discards excess ARP Miss packets.

The administrator can use the arp-miss speed-limit source-ip command to set the maximum number of ARP Miss packets and specify the mode for processing ARP Miss packets based on the actual network environment.

If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the device considers that an attack is initiated from the source IP address. The administrator can use the arp-miss speed-limit source-ip command to set the maximum number of ARP Miss messages that the device can process within a specified duration, protecting the system resources and ensuring proper running of other services.

Precautions

You can set the maximum number of ARP Miss messages for a maximum of 1024 IP addresses.

If the ARP Miss packet processing mode is set to none-block, the device discards ARP Miss packets triggering excess ARP Miss messages to reduce CPU load. The non-block action can cause a high CPU usage, and the block action uses ACL resources. The default ARP Miss packet processing mode is recommended.

In the process of setting the maximum number of ARP Miss messages based on source IP addresses, if the ARP Miss packet processing mode is not specified, the device use the default processing mode block.

When the maximum number of ARP Miss packets exceeds the limit, the delivered ACL discards only the ARP Miss packets from the source IP address. Other packets can still be sent to the CPU.

A maximum of 16 ACLs can be delivered to the chip to discard ARP Miss packets from a specified IP address or network segment. When the device delivers 16 ACLs and all ACLs do not age out, and the number of ARP Miss packets from other IP addresses or network segments per second exceeds the limit, the device does not deliver any ACL to discard all subsequent packets and the CPU discards excess ARP packets.

Example

# Set the maximum number of ARP Miss messages triggered by each source IP address per second to 60.

<HUAWEI> system-view
[HUAWEI] arp-miss speed-limit source-ip maximum 60

# Set the maximum number of ARP Miss messages triggered by the IP address 10.0.0.1 per second to 100, and set the maximum number of ARP Miss messages triggered by other source IP addresses per second to 60.

<HUAWEI> system-view
[HUAWEI] arp-miss speed-limit source-ip maximum 60
[HUAWEI] arp-miss speed-limit source-ip 10.0.0.1 maximum 100

display arp anti-attack arpmiss-record-info

Function

The display arp anti-attack arpmiss-record-info command displays information recorded by the device when rate limit on ARP Miss messages is triggered.

Format

display arp anti-attack arpmiss-record-info [ ip-address ]

Parameters

Parameter

Description

Value

ip-address

Displays the IP address of discarded ARP Miss packets.

The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After rate limit on ARP Miss messages is triggered, the device discards excess ARP Miss messages. You can run this command to view information recorded by the device when rate limit on ARP Miss messages is triggered. The information helps locate and rectify faults.

The device can record a maximum of 256 records about rate limit on ARP Miss messages. If a new round of rate limit on ARP Miss messages is triggered when the number of records reaches 256, the device takes the following actions:
  1. If the source IP address of the attacker already exists in a record, the device updates the block time in the record using the discarding time of the new ARP Miss message.
  2. If the source IP address of the attacker does not exist in any record, the device deletes the first record and adds a new record for this attacker.

Example

# Display information recorded by the device when rate limit on ARP Miss messages is triggered.

<HUAWEI> display arp anti-attack arpmiss-record-info  
Interface    IP address      Attack time         Block time          Aging-time 
------------------------------------------------------------------------------- 
------------------------------------------------------------------------------- 
The number of record(s) in arp-miss table is 0                         
Table 14-49  Description of the display arp anti-attack arpmiss-record-info command output

Item

Description

Interface

Interface where ARP Miss packets are discarded.

IP address

Source IP address of discarded ARP Miss packets.

Attack time

First time when rate limit on ARP Miss messages is triggered, that is, time when the number of ARP Miss messages exceeds the limit.

Block time

Last time when the device discards the ARP Miss messages of the attacker.

Aging-time

Period during which the device discards ARP Miss packets.

If the ARP Miss packet processing mode is set to none-block, the values of Block time and Aging-time are both 0. If the ARP Miss packet processing mode is set to block, the value of Aging-time is configured by the arp-miss speed-limit source-ip command, and the default value is 5 seconds.

display arp anti-attack configuration check user-bind

Function

The display arp anti-attack configuration check user-bind command displays the configuration of DAI in a VLAN or on an interface.

Format

display arp anti-attack configuration check user-bind [ vlan [ vlan-id ] | interface [ interface-type interface-number ] ]

Parameters

Parameter

Description

Value

vlan [ vlan-id ]

Displays DAI configuration in the specified VLAN.

If vlan-id is not specified, the DAI configurations in all VLANs are displayed.

vlan-id is an integer that ranges from 1 to 4094.

interface [ interface-type interface-number ]

Displays DAI on the specified interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

If interface-type interface-number is not specified, the DAI configurations on all interfaces are displayed.

If neither vlan [ vlan-id ] nor interface [ interface-type interface-number ] is specified, the DAI configurations in all VLANs and on all interfaces are displayed.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view the configuration of DAI in a VLAN or on an interface, including whether the function is enabled, check items, whether the alarm function is enabled for discarded ARP packets, and alarm threshold.

Only after DAI and the alarm function are enabled, output of this command is displayed.

Example

# Display DAI configuration on GE1/0/1.

<HUAWEI> display arp anti-attack configuration check user-bind interface gigabitethernet 1/0/1
 arp anti-attack check user-bind enable
 arp anti-attack check user-bind alarm enable
 arp anti-attack check user-bind alarm threshold 50 
 arp anti-attack check user-bind check-item ip-address
# Display ARP check configurations in all VLANs and on all interfaces.
<HUAWEI> display arp anti-attack configuration check user-bind
#                                                                               
vlan 2                                                                         
 arp anti-attack check user-bind enable                                         
 arp anti-attack check user-bind check-item ip-address 
#                                                                               
vlan 3                                                                         
 arp anti-attack check user-bind enable                                         
#                                                                               
GigabitEthernet1/0/1                                                           
 arp anti-attack check user-bind enable
 arp anti-attack check user-bind alarm enable
 arp anti-attack check user-bind alarm threshold 50 
 arp anti-attack check user-bind check-item ip-address
#  
Table 14-50  Description of the display arp anti-attack configuration check user-bind command output

Item

Description

arp anti-attack check user-bind enable

DAI has been enabled.

You can run the arp anti-attack check user-bind enable command to enable DAI.

arp anti-attack check user-bind alarm enable

The alarm function for ARP packets discarded by DAI has been enabled.

You can run the arp anti-attack check user-bind alarm enable command to enable the alarm function.

arp anti-attack check user-bind alarm threshold 50

Alarm threshold of discarded ARP packets matching no binding entry.

You can run the arp anti-attack check user-bind alarm threshold command to set the alarm threshold.

arp anti-attack check user-bind check-item ip-address

Only the IP address is checked during ARP packet check based on binding entries.

You can run the arp anti-attack check user-bind check-item (interface view) command or arp anti-attack check user-bind check-item (VLAN view) command to specify the check item for ARP packet check based on binding entries.

display arp anti-attack configuration

Function

The display arp anti-attack configuration command displays the ARP anti-attack configuration.

Format

display arp anti-attack configuration { arp-rate-limit | arp-speed-limit | entry-check | arpmiss-rate-limit | arpmiss-speed-limit | gateway-duplicate | log-trap-timer | packet-check | all }

Parameters

Parameter

Description

Value

arp-rate-limit

Displays the configuration of rate limit on ARP packets globally, in a VLAN, or on an interface.

-

arp-speed-limit

Displays the configuration of rate limit on ARP packets based on the source IP address or source MAC address.

-

entry-check

Displays the ARP entry fixing mode.

-

arpmiss-rate-limit

Displays the configuration of rate limit on ARP Miss messages globally, in a VLAN, or on an interface.

-

arpmiss-speed-limit

Displays the configuration of rate limit on ARP Miss messages based on the source IP address.

-

gateway-duplicate

Displays whether gateway anti-collision is enabled.

-

log-trap-timer

Displays the interval for sending ARP alarms.

-

packet-check

Displays whether ARP packet validity check is enabled.

-

all

Displays all ARP anti-attack configurations.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After all ARP anti-attack functions are configured, you can run this command to check all configurations.

Example

# Display the configuration of rate limit on ARP packets based on the source IP address or source MAC address.
<HUAWEI> display arp anti-attack configuration arp-speed-limit
ARP speed-limit for source-MAC configuration:                                   
MAC-address         suppress-rate(pps)(rate=0 means function disabled)          
------------------------------------------------------------------------------- 
All                 0                                                           
------------------------------------------------------------------------------- 
The number of configured specified MAC address(es) is 0, spec is 1024.          
                                                                                
ARP speed-limit for source-IP configuration:                                    
IP-address          suppress-rate(pps)(rate=0 means function disabled)          
------------------------------------------------------------------------------- 
10.1.1.1            100                                                         
Others              30                                                          
------------------------------------------------------------------------------- 
The number of configured specified IP address(es) is 1, spec is 1024.           
# Display the configuration of rate limit on ARP Miss messages based on the source IP address.
<HUAWEI> display arp anti-attack configuration arpmiss-speed-limit
 ARP miss speed-limit for source-IP configuration:
 IP-address          suppress-rate(pps)(rate=0 means function disabled)
 ------------------------------------------------------------------------
 10.0.0.30/32        400
 Others              0 
 ------------------------------------------------------------------------
 The number of configured specified IP address(es) is 1, spec is 1024.   
# Display the ARP entry fixing mode.
<HUAWEI> display arp anti-attack configuration entry-check
 ARP anti-attack entry-check mode:                                              
 Vlanif      Mode                                                               
------------------------------------------------------------------------------- 
 All         send-ack                                                           
------------------------------------------------------------------------------- 
# Display all ARP anti-attack configurations.
<HUAWEI> display arp anti-attack configuration all
ARP anti-attack packet-check configuration:
-------------------------------------------------------------------------------
Sender-MAC checking function: disable
Dst-MAC checking function: disable
IP checking function: disable
-------------------------------------------------------------------------------

ARP gateway-duplicate anti-attack function: disabled

ARP anti-attack log-trap-timer: 0 second(s)
(The log and trap timer of speed-limit, default is 0 and means disabled.)

ARP anti-attack entry-check mode:
Vlanif      Mode
-------------------------------------------------------------------------------
All         disabled
-------------------------------------------------------------------------------

ARP rate-limit configuration:
-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
  GigabitEthernet5/0/10 :
    arp anti-attack rate-limit enable
    arp anti-attack rate-limit packet 10 interval 1
VLAN configuration:
-------------------------------------------------------------------------------

ARP miss rate-limit configuration:
-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
VLAN configuration:
-------------------------------------------------------------------------------

ARP speed-limit for source-MAC configuration:
MAC-address         suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
All                 0
-------------------------------------------------------------------------------
The number of configured specified MAC address(es) is 0, spec is 1024.

ARP speed-limit for source-IP configuration:
IP-address          suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
All                 30
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 0, spec is 1024.

ARP miss speed-limit for source-IP configuration:
IP-address          suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
All                 30
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 0, spec is 1024.
Table 14-51  Description of the display arp anti-attack configuration all command output

Item

Description

ARP anti-attack packet-check configuration

Whether ARP packet validity check is enabled.

  • Sender-mac checking function indicates that the source MAC address is checked.

  • Dst-mac checking function indicates that the destination MAC address is checked.

  • Ip checking function indicates that the IP address is checked.

You can run the arp anti-attack packet-check command to enable ARP packet validity check.

ARP gateway-duplicate anti-attack function

Whether ARP gateway anti-collision is enabled.

You can run the arp anti-attack gateway-duplicate enable command to enable ARP gateway anti-collision.

ARP anti-attack log-trap-timer

Interval for sending ARP alarms

You can run the arp anti-attack log-trap-timer command to set the interval for sending ARP alarms.

ARP anti-attack entry-check mode

ARP entry fixing mode. Vlanif specifies the interface to which the ARP entry fixing mode is applied. The modes include:
  • fixed-mac
  • fixed-all
  • send-ack
  • disabled

You can run the arp anti-attack entry-check enable command to set the ARP entry fixing mode.

ARP rate-limit configuration

Configuration of rate limit on ARP packets.

  • Global configuration indicates the global configuration of rate limit on ARP packets.

  • Interface configuration indicates the configuration of rate limit on ARP packets on an interface.

  • Vlan configuration indicates the configuration of rate limit on ARP packets in a VLAN.

You can run the arp anti-attack rate-limit command to configure rate limit on ARP packets.

ARP miss rate-limit configuration

Configuration of rate limit on ARP Miss messages.

  • Global configuration indicates the global configuration of rate limit on ARP Miss messages.

  • Interface configuration indicates the configuration of rate limit on ARP Miss messages on an interface.

  • Vlan configuration indicates the configuration of rate limit on ARP Miss messages in a VLAN.

You can run the arp-miss anti-attack rate-limit command to configure rate limit on ARP Miss messages.

ARP speed-limit for source-MAC configuration

Rate limit on ARP packets based on the source MAC address.

You can run the arp speed-limit source-mac command to configure rate limit on ARP packets based on the source MAC address.

ARP speed-limit for source-IP configuration

Rate limit on ARP packets based on the source IP address.

You can run the arp speed-limit source-ip command to configure rate limit on ARP packets based on the source IP address.

ARP miss speed-limit for source-IP configuration

Rate limit on ARP Miss messages based on source IP addresses.

You can run the arp-miss speed-limit source-ip command to configure rate limit on ARP Miss messages based on the source IP address.

The number of configured specified MAC address(es) is 0, spec is 512.

Number (0) of the configured source MAC addresses based on which the rate of ARP packets or ARP Miss messages is limited, and the maximum value (512) allowed.

The number of configured specified IP address(es) is 1, spec is 512.

Number (1) of the configured source IP addresses based on which the rate of ARP packets or ARP Miss messages is limited, and the maximum value (512) allowed.

MAC-address

Rate limit on ARP packets based on a specified MAC address.
  • ALL indicates all MAC addresses.
  • Others indicates other MAC addresses except for the specified MAC address.

IP-address

Rate limit on ARP packets and ARP Miss messages based on a specified IP address.
  • ALL indicates all IP addresses.
  • Others indicates other IP addresses except for the specified IP address.

suppress-rate

Rate limit on ARP packets and ARP Miss messages. Value 0 indicates that the rate limit function is disabled for ARP packets and ARP Miss messages.

You can run the arp anti-attack rate-limit packet packet-number command to configure the rate limit of ARP packets, and run the arp-miss anti-attack rate-limit packet packet-number command to configure the rate limit of ARP Miss messages.

display arp anti-attack gateway-duplicate item

Function

The display arp anti-attack gateway-duplicate item command displays ARP gateway anti-collision entries.

Format

display arp anti-attack gateway-duplicate item

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After ARP gateway anti-collision is enabled, you can run this command to view ARP anti-collision entries.

Example

# Display ARP gateway anti-collision entries.

<HUAWEI> display arp anti-attack gateway-duplicate item
 Interface               IP address       MAC address     VLANID   Aging time 
-------------------------------------------------------------------------------
 GigabitEthernet1/0/1    10.1.1.1         0000-0000-0002  2        150
 GigabitEthernet1/0/2    10.1.1.2         0000-0000-0004  2        170
-------------------------------------------------------------------------------
The number of record(s) in gateway conflict table is 2 
Table 14-52  Description of the display arp anti-attack gateway-duplicate item command output

Item

Description

Interface

Inbound interface of ARP packets.

IP address

IP address of the gateway.

MAC address

Source MAC address of ARP packets.

VLANID

VLAN ID of ARP packets.

Aging time

Aging time of entries. The maximum value is 180 seconds. This parameter cannot be configured.

display arp anti-attack packet-check statistics

Function

The display arp anti-attack packet-check statistics command displays the statistics on invalid ARP packets that are filtered out during ARP packet validity check.

Format

display arp anti-attack packet-check statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After ARP packet validity check is enabled, if you want to view the statistics on invalid ARP packets that are filtered out, you can run this command.

Example

# Display the statistics on invalid ARP packets that are filtered out in ARP packet validity check is displayed.

<HUAWEI> display arp anti-attack packet-check statistics
Number of ARP packet(s) checked:                        5                       
Number of ARP packet(s) dropped by sender-mac checking: 0                       
Number of ARP packet(s) dropped by dst-mac checking:    0                       
Number of ARP packet(s) dropped by src-ip checking:     2                       
Number of ARP packet(s) dropped by dst-ip checking:     0            
Table 14-53  Description of the display arp anti-attack packet-check statistics command output

Item

Description

Number of ARP packet(s) checked

Number of ARP packets whose validity is checked.

Number of ARP packet(s) dropped by sender-mac checking

Number of invalid ARP packets that are filtered out because the source MAC address in the packet is different from that in the Ethernet frame header.

Number of ARP packet(s) dropped by dst-mac checking

Number of invalid ARP packets that are filtered out because the destination MAC address in the packet is different from that in the Ethernet frame header.

Number of ARP packet(s) dropped by src-ip checking

Number of invalid ARP packets with invalid source IP addresses that are filtered out.

Number of ARP packet(s) dropped by dst-ip checking

Number of invalid ARP packets with invalid destination IP addresses that are filtered out.

display arp anti-attack statistics check user-bind interface

Function

The display arp anti-attack statistics check user-bind interface command displays the statistics on discarded ARP packets matching no binding entry.

Format

display arp anti-attack statistics check user-bind interface interface-type interface-number

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the type and number of an interface. Where,
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After DAI and the alarm function are enabled, you can run this command to display the statistics on discarded ARP packets matching no binding entry.

Example

# Display the statistics on discarded ARP packets matching no binding entry on GE1/0/1.

<HUAWEI> display arp anti-attack statistics check user-bind interface gigabitethernet 1/0/1
 Dropped ARP packet number is 966                                                 
 Dropped ARP packet number since the latest warning is 605
Table 14-54  Description of the display arp anti-attack statistics check user-bind interface command output

Item

Description

Dropped ARP packet number is 966

Number of discarded ARP packets matching no DHCP snooping binding entry.

Dropped ARP packet number since latest warning is 605

Statistics on discarded ARP packets matching no DHCP snooping binding entry after the latest alarm is generated.

display arp flood statistics

Function

The display arp flood statistics command displays the statistics on ARP Request packets of VLANIF interfaces in all super-VLANs.

Format

display arp flood statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view the statistics on ARP Request packets of VLANIF interfaces in all super-VLANs.

Example

# Display the statistics on ARP Request packets of all the VLANIF interfaces in a super-VLAN.

<HUAWEI> display arp flood statistics
ARP request packets statistics on supervlan:
Total ARP request packets number :  5100 
Sent ARP request packets number :  4000
Dropped ARP request packets number:  1100
Table 14-55  Description of the display arp flood statistics command output

Item

Description

ARP request packets statistics on supervlan

Statistics on ARP Request packets in all super-VLANs.

Total ARP request packets number

Total number of ARP Request packets.

Sent ARP request packets number

Number of sent ARP Request packets.

Dropped ARP request packets number

Number of discarded ARP Request packets when the rate limit on broadcasting ARP Request packets is exceeded on VLANIF interface in all super-VLANs. You can run the arp speed-limit flood-rate rate command to configure the rate of broadcasting ARP Request packets.

display arp learning strict

Function

The display arp learning strict command displays strict ARP learning globally and on all interfaces.

Format

display arp learning strict

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After strict ARP learning is configured, you can run this command to check the configuration.

Example

# Display strict ARP learning globally and on all interfaces.

<HUAWEI> display arp learning strict
The global configuration:arp learning strict
 Interface                           LearningStrictState
------------------------------------------------------------
 Vlanif100                           force-disable
 Vlanif200                           force-enable
------------------------------------------------------------
 Total:2
 Force-enable:1
 Force-disable:1
Table 14-56  Description of the display arp learning strict command output

Item

Description

The global configuration

Global strict ARP learning. The value arp learning strict indicates that strict ARP learning has been enabled. If the parameter is left blank, strict ARP learning is disabled.

You can run the arp learning strict (system view) command to enable strict ARP learning.

Interface

Interface name.

LearningStrictState

Strict ARP learning.
  • The value force-enable indicates that strict ARP learning is enabled.
  • The value force-disable indicates that strict ARP learning is disabled.

You can run the arp learning strict (interface view) command to enable strict ARP learning.

Total

Total number of interfaces to which strict ARP learning is applied.

Force-enable

Number of the interfaces on which strict ARP learning is enabled.

Force-disable

Number of the interfaces on which strict ARP learning is disabled.

display arp optimized-passby status

Function

The display arp optimized-passby status command displays whether the device is configured not to send ARP packets destined for other devices to the CPU and whether the configuration takes effect.

Format

display arp optimized-passby status interface vlanif vlanif-id slot slot-id

NOTE:

Only X series cards support this command.

Parameters

Parameter Description Value
interface vlanif vlanif-id

Displays whether the device is configured not to send ARP packets destined for other devices to the CPU and whether the configuration takes effect on a specified VLANIF interface.

The value is an integer and the value range depends on the range of existing VLANIF interfaces. You can enter ? to obtain the range of VLANIF interface numbers.
slot slot-id

Displays whether the device is configured not to send ARP packets destined for other devices to the CPU and whether the configuration takes effect in a specified slot.

The value must be set according to the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

If an interface receives a large number of ARP packets whose destination IP addresses are different from the IP address of this interface and sends these ARP packets to the CPU for processing, the CPU usage is high and the CPU cannot process services properly.

To prevent this issue, you can configure the device to directly forward ARP packets destined for other devices without sending them to the CPU. This improves the device's capability of defending against ARP flood attacks.

When the device is configured not to send ARP packets destined for other devices to the CPU, the configuration does not take effect if a conflict configuration exists on the device. You can use the display arp optimized-passby status command to check whether the device is configured not to send ARP packets destined for other devices to the CPU and whether the configuration takes effect. For details about conflict configurations, see arp optimized-passby enable.

Example

# Display whether the device is configured not to send ARP packets destined for other devices to the CPU and whether the configuration takes effect on VLANIF 100.

<HUAWEI> display arp optimized-passby status interface Vlanif 100 slot 0
Current configuration:Enable                                                                                                        
Actual         status:Inactive                                                                                                      
Related configuration:                                                                                                              
   NAC configuration (for example, dot1x enable)                                                                                    
Table 14-57  Description of the display arp optimized-passby status command output

Item

Description

Current configuration

Whether the device is configured not to send ARP packets destined for other devices to the CPU.
  • Enable: The device is configured not to send ARP packets destined for other devices to the CPU.
  • Disable: The device is configured to send ARP packets destined for other devices to the CPU.

Actual status

Whether the configuration of disabling the device from sending ARP packets destined for other devices to the CPU takes effect.
  • Inactive
  • Active

Related configuration

Conflict configuration. For details, see arp optimized-passby enable.

display arp optimized-reply statistics

Function

The display arp optimized-reply statistics command displays statistics on optimized ARP Reply packets.

Format

display arp optimized-reply statistics [ slot slot-id ]

Parameters

Parameter Description Value
slot slot-id

Displays statistics on optimized ARP Reply packets of a specified LPU slot. If this parameter is not specified, the command displays statistics on optimized ARP Reply packets of all LPUs.

NOTE:
In a CSS, slot-id specifies the CSS ID and slot ID. For example, slot 1/2 indicates CSS ID1 and slot 2.

The value is a slot ID of the registered LPU.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check statistics on optimized ARP Reply packets after the optimized ARP reply function is enabled on the device.

Example

# Display statistics on optimized ARP Reply packets of all LPUs.
<HUAWEI> display arp optimized-reply statistics
Slot            Received           Processed             Dropped                                                                    
----------------------------------------------------------------                                                                    
5                     76                   7                   9
Table 14-58  Description of the display arp optimized-reply statistics command output

Item

Description

Slot

Slot ID of the LPU.

Received

Number of ARP Request packets entering the processing procedure of the optimized ARP reply function on the LPU.

Processed

Number of ARP Request packets that the LPU optimized responds to.

Dropped

Number of ARP Request packets discarded by the LPU.

display arp optimized-reply status

Function

The display arp optimized-reply status command displays the status of the optimized ARP reply function.

Format

display arp optimized-reply status

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check the status of the optimized ARP reply function.

Example

# Check the status of the optimized ARP reply function.
<HUAWEI> display arp optimized-reply status
Current configuration:Disable                                                   
Actual         status:Inactive                                                  
Related configuration:                                                          
   arp optimized-reply disable                                                       
   arp anti-attack check user-bind enable                                       
   arp anti-attack gateway-duplicate enable 
Table 14-59  Description of the display arp optimized-reply status command output

Item

Description

Current configuration

Configuration of the optimized ARP reply function.
  • Enable
  • Disable

To set this field, run the arp optimized-reply disable command.

Actual status

Status of the optimized ARP reply function.
  • Active
  • Inactive

Related configuration

Configuration that results in the invalid optimized ARP reply function.

If the optimized ARP reply function has taken effect, this field is not displayed.

display arp packet statistics

Function

The display arp packet statistics command displays the statistics on ARP packets.

Format

display arp packet statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To locate and rectify ARP faults, you can run this command to view the statistics on ARP packets.

This command displays the ARP packet statistics on the main control board.

Example

# Display the statistics on ARP packets.

<HUAWEI> display arp packet statistics
ARP Pkt Received: sum 420066 
ARP Received In Message-cache: sum 0 
ARP-Miss Msg Received: sum 0 
ARP Learnt Count: sum 5 
ARP Pkt Discard For Limit: sum 0 
ARP Pkt Discard For SpeedLimit: sum 0 
ARP Pkt Discard For Proxy Suppress: sum 179578 
ARP Pkt Discard For Other: sum 90347 
ARP-Miss Msg Discard For SpeedLimit: sum 0 
ARP Discard In Message-cache For SpeedLimit: sum 0 
ARP-Miss Msg Discard For Other: sum 0
Table 14-60  Description of the display arp packet statistics command output

Item

Description

ARP Pkt Received

Number of the received ARP packets.

ARP Received In Message-cache

Number of ARP packets received within each second when an LPU encapsulates multiple ARP request packets into one packet.

ARP-Miss Msg Received

Total number of ARP Miss messages triggered by ARP Miss packets sent to the CPU.

ARP Learnt Count

Times of ARP learning.

ARP Pkt Discard For Limit

Number of ARP packets discarded due to the ARP entry limit.

To configure the maximum number of dynamic ARP entries that an interface can learn, run the arp-limit command.

ARP Pkt Discard For SpeedLimit

Number of ARP packets discarded when the number of ARP packets from a specified source IP address exceeds the limit.

To configure a rate limit for ARP packets based on the source IP address, run the arp speed-limit source-ip command.

ARP Pkt Discard For Proxy Suppress

Number of packets discarded for the speed limit.

ARP Pkt Discard For Other

Number of the packets discarded due to other causes.

ARP-Miss Msg Discard For SpeedLimit

Number of ARP Miss messages discarded when the number of ARP Miss messages triggered by IP packets from a specified source IP address exceeds the limit.

ARP Discard In Message-cache For SpeedLimit

Number of ARP packets discarded due to software rate limit when an LPU encapsulates multiple ARP request packets into one packet.

To configure a rate limit for ARP Miss messages based on the source IP address, run the arp-miss speed-limit source-ip command.

ARP-Miss Msg Discard For Other

Number of the ARP Miss messages discarded due to other causes.

display arp-limit

Function

The display arp-limit command displays the maximum number of ARP entries that an interface can dynamically learn.

Format

display arp-limit [ interface interface-type interface-number[.subinterface-number ] ] [ vlan vlan-id ]

Parameters

Parameter

Description

Value

interface interface-type interface-number[.subinterface-number ]

Specifies the type and number of an interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

  • subinterface-number specifies the sub-interface number.

-

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the maximum number of ARP entries that an interface can dynamically learn is set, you can run this command to check the configuration.

If interface interface-type interface-number[.subinterface-number ] and vlan vlan-id are specified, you can view the maximum number of ARP entries that the specified interface can dynamically learn in the specified VLAN. If the two parameters are not specified, the maximum number of ARP entries that each interface can dynamically learn is displayed.

Example

# Display the number of ARP entries that each interface can dynamically learn.

<HUAWEI> display arp-limit
 Interface               LimitNum        VlanID          LearnedNum(Mainboard)
---------------------------------------------------------------------------
 Vlanif100               1000            0                  0 
 GigabitEthernet1/0/1    16384           10                 0
 ---------------------------------------------------------------------------
 Total:2  
Table 14-61  Description of the display arp-limit command output

Item

Description

Interface

Interface name.

LimitNum

Maximum number of ARP entries that an interface can dynamically learn.

To configure the maximum number of dynamic ARP entries that an interface can learn, run the arp-limit command.

VlanID

ID of the VLAN that the interface belongs to.

LearnedNum(Mainboard)

Number of ARP entries that an interface has learned.

Related Topics

display arp snooping

Function

The display arp snooping command displays ARP snooping entries.

Format

display arp snooping { all | interface interface-type interface-number | vlan vlan-id | ip-address ip-address | mac-address mac-address }

Parameters

Parameter Description Value
all

Displays all ARP snooping entries.

-
interface interface-type interface-number
Displays the ARP snooping entry of a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
-
vlan vlan-id

Displays the ARP snooping entry of a specified VLAN.

The value is an integer in the range from 1 to 4094.

ip-address ip-address

Displays the ARP snooping entry of a specified IP address.

The value is in dotted decimal notation.

mac-address mac-address

Displays the ARP snooping entry of a specified MAC address.

The value is a 12-digit hexadecimal number, in the format of H-H-H. Each H is 4 digits. If an H contains fewer than 4 digits, the left-most digits are padded with zeros. For example, e0 is displayed as 00e0. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After ARP snooping is enabled, the device generates ARP snooping entries that contain the IP address, MAC address, VLAN ID, inbound interface, and aging time. You can run the display arp snooping command to view the ARP snooping entries.

Example

# Display all ARP snooping entries.

<HUAWEI> display arp snooping all
VLAN/CEVLAN     IP ADDRESS     MAC ADDRESS     INTERFACE     EXPIRE(S)
----------------------------------------------------------------------
2/-             192.168.10.1   0009-c072-4c22  Eth1/0/0      20       
2/-             192.168.10.2   0000-0a88-32f4  Eth1/0/0      10       
13/-            10.1.1.1       0009-c072-4c22  Eth-Trunk0    18
12/10           172.16.1.1     0009-c072-4c22  40GE5/0/4     5
----------------------------------------------------------------------
Total Count:4 
Table 14-62  Description of the display arp snooping command output

Item

Description

VLAN/CEVLAN

VLAN information.

IP ADDRESS

IP address.

MAC ADDRESS

MAC address.

INTERFACE

Inbound interface.

EXPIRE(S)

Aging time.

reset arp anti-attack packet-check statistics

Function

The reset arp anti-attack packet-check statistics command clears the statistics on invalid ARP packets that are filtered out during ARP packet validity check.

Format

reset arp anti-attack packet-check statistics

Parameters

None

Views

User view

Default Level

2: Configuration level

Usage Guidelines

You can run this command to clear existing statistics, and run the display arp anti-attack packet-check statistics command to view the statistics on follow-up invalid ARP packets that are filtered out.

Example

# Clear the statistics on invalid ARP packets that are filtered out in ARP packet validity check.

<HUAWEI> reset arp anti-attack packet-check statistics

reset arp anti-attack statistics check user-bind

Function

The reset arp anti-attack statistics check user-bind command clears the statistics on discarded ARP packets matching no binding entry.

Format

reset arp anti-attack statistics check user-bind interface interface-type interface-number

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the type and number of an interface. Where,
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

User view, system view

Default Level

2: Configuration level

Usage Guidelines

After DAI is enabled and some ARP packets matching no binding entry are discarded, you can run this command to clear the statistics on the discarded ARP packets.

Example

# Clear the statistics on discarded ARP packets on GE1/0/1.

<HUAWEI> reset arp anti-attack statistics check user-bind interface gigabitethernet 1/0/1

reset arp anti-attack statistics rate-limit

Function

The reset arp anti-attack statistics rate-limit command clears the statistics on ARP packets discarded when the rate of ARP packets exceeds the limit.

Format

reset arp anti-attack statistics rate-limit

Parameters

None

Views

User view, system view

Default Level

2: Configuration level

Usage Guidelines

After rate limit on ARP packets is enabled globally, the device discards the excess packets when the rate of ARP packets exceeds the limit. You can run this command to clear the statistics on the discarded ARP packets.

Example

# Clear the statistics on ARP packets discarded when the rate of ARP packets exceeds the limit.

<HUAWEI> reset arp anti-attack statistics rate-limit

reset arp flood statistics

Function

The reset arp flood statistics command clears the statistics on ARP Request packets of VLANIF interfaces in all super-VLANs.

Format

reset arp flood statistics

Parameters

None

Views

User view

Default Level

2: Configuration level

Usage Guidelines

After this command is run, the statistics on ARP Request packets of VLANIF interfaces in all super-VLANs are cleared and cannot be restored.

Example

# Clear the statistics on ARP Request packets of VLANIF interfaces in all super-VLANs is cleared.

<HUAWEI> reset arp flood statistics

reset arp optimized-reply statistics

Function

The reset arp optimized-reply statistics command clears statistics on optimized ARP Reply packets.

Format

reset arp optimized-reply statistics [ slot slot-id ]

Parameters

Parameter Description Value
slot slot-id
Clears statistics on optimized ARP Reply packets of a specified LPU slot. If this parameter is not specified, the command clears statistics on optimized ARP Reply packets of all LPUs.
NOTE:
In a CSS, slot-id specifies the CSS ID and slot ID. For example, slot 1/2 indicates CSS ID1 and slot 2.

The value is a slot ID of the registered LPU.

Views

User view

Default Level

2: Configuration level

Usage Guidelines

To collect statistics on optimized ARP Reply packets on each LPU, you can run the reset arp optimized-reply statistics [ slot slot-id ] command to clear statistics on optimized ARP Reply packets of all LPUs or a specified LPU.

Example

# Clears statistics on optimized ARP Reply packets of the LPU in slot 1.
<HUAWEI> reset arp optimized-reply statistics slot 1

reset arp packet statistics

Function

The reset arp packet statistics command clears the statistics on ARP packets.

Format

reset arp packet statistics

Parameters

None

Views

User view

Default Level

2: Configuration level

Usage Guidelines

You can run the display arp packet statistics command to display the statistics on ARP packets. To obtain correct statistics, run the reset arp packet statistics command to clear existing statistics first.

The reset arp packet statistics command clears the ARP packet statistics on the main control board.

Example

# Clear the statistics on all ARP packets.

<HUAWEI> reset arp packet statistics

reset arp snooping

Function

The reset arp snooping command clears ARP snooping entries.

Format

reset arp snooping { all | interface interface-type interface-number | vlan vlan-id | ip-address ip-address | mac-address mac-address }

Parameters

Parameter Description Value
all

Clears all ARP snooping entries.

-
interface interface-type interface-number
Clears ARP snooping entries on an interface that has the specified interface type and number.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
-
vlan vlan-id

Clears ARP snooping entries in a specified VLAN.

The value is an integer in the range from 1 to 4094.

ip-address ip-address

Clears ARP snooping entries of the specified IP address.

The value is in dotted decimal notation.

mac-address mac-address

Clears ARP snooping entries of the specified MAC address.

The value is in H-H-H format, in which H is a hexadecimal number of 1 to 4 bits, such as 00e0 and fc01. If you enter less than four alphanumeric characters, 0s are added before the input digits. For example, if e0 is entered, 00e0 is displayed. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, and a multicast MAC address.

Views

User view

Default Level

3: Management level

Usage Guidelines

To view ARP snooping entries in a specified period, you need to generate new ARP snooping entries from a specified time. You can run the reset arp snooping command to clear ARP snooping entries.

Example

# Clear ARP snooping entries.

<HUAWEI> reset arp snooping all
Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065659

Views: 127132

Downloads: 88

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next