The arp anti-attack check user-bind check-item command configures check items for ARP packet check based on binding entries on an interface.
The undo arp anti-attack check user-bind check-item command restores the default check items.
By default, the check items consist of IP address, MAC address, and VLAN ID.
arp anti-attack check user-bind check-item { ip-address | mac-address | vlan } *
undo arp anti-attack check user-bind check-item
| Parameter | Description | Value |
|---|---|---|
| ip-address | Indicates that the device checks IP addresses in ARP packets. | - |
| mac-address | Indicates that the device checks MAC addresses in ARP packets. | - |
| vlan | Indicates that the device checks VLAN IDs in ARP packets. | - |
Ethernet interface view, GE interface view, 40GE interface view, XGE interface view, 25GE interface view, 100GE interface view, MultiGE interface view, port group view, Eth-Trunk interface view
Usage Scenario
When a device receives an ARP packet, it compares the source IP address, source MAC address, and VLAN ID of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.
To allow some special ARP packets that match only one or two items in binding entries to pass through, use the arp anti-attack check user-bind check-item command to configure the device to check ARP packets according to one or two specified items in binding entries.
Prerequisites
DAI has been enabled on the interface using the arp anti-attack check user-bind enable command.
Precautions
Check items configured for ARP packet check based on binding entries do not take effect on hosts that are configured with static binding entries. These hosts check ARP packets based on all items in static binding entries.