arp anti-attack check user-bind check-item (VLAN or BD view)
Function
The arp anti-attack check user-bind check-item command configures check items for ARP packet check based on binding entries in a VLAN or BD.
The undo arp anti-attack check user-bind check-item command restores the default check items.
By default, the check items consist of IP address, MAC address, and interface number.
Only the S5720-HI, S5730-HI, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S, S5732-H, S5731-S, S5731S-S, S5731S-H, and S5731-H can be configured in the BD view.
Format
arp anti-attack check user-bind check-item { ip-address | mac-address | interface } *
undo arp anti-attack check user-bind check-item
Parameters
| Parameter | Description | Value |
|---|---|---|
ip-address |
Indicates that the device checks IP addresses in ARP packets. |
- |
mac-address |
Indicates that the device checks MAC addresses in ARP packets. |
- |
interface |
Indicates that the device checks interface numbers in ARP packets. |
- |
Usage Guidelines
Usage Scenario
When a device receives an ARP packet, it compares the source IP address, source MAC address, and interface number of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.
To allow some special ARP packets that match only one or two items in binding entries to pass through, configure the device to check ARP packets according to one or two specified items in binding entries.
Prerequisites
DAI has been enabled in the VLAN or BD using the arp anti-attack check user-bind enable command.
Precautions
Check items configured for ARP packet check based on binding entries do not take effect on hosts that are configured with static binding entries. These hosts check ARP packets based on all items in static binding entries.