arp anti-attack check user-bind enable
Function
The arp anti-attack check user-bind enable command enables DAI on an interface, BD, or in a VLAN. DAI enables the device to check ARP packets based on binding entries.
The undo arp anti-attack check user-bind enable command disables DAI on an interface, BD, or in a VLAN.
By default, DAI is disabled on an interface, BD, or in a VLAN.
Only the S5720-HI, S5730-HI, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S, S5732-H, S5731-S, S5731S-S, S5731S-H, and S5731-H can be configured in the BD view.
Views
VLAN view, Ethernet interface view, GE interface view, 40GE interface view, XGE interface view, 25GE interface view, 100GE interface view, MultiGE interface view, port group view, Eth-Trunk interface view, BD view
Usage Guidelines
Usage Scenario
To prevent MITM attacks and theft on authorized user information, run the arp anti-attack check user-bind enable command to enable DAI. When a device receives an ARP packet, it compares the source IP address, source MAC address, interface number, VLAN ID, or BD ID of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.
You can enable DAI in the interface view, BD view, or the VLAN view. When DAI is enabled in an interface view, the device checks all ARP packets received on the interface against binding entries. When DAI is enabled in the VLAN view or BD view, the device checks ARP packets received on interfaces belong to the VLAN or BD view based on binding entries.
Follow-up Procedure
Run the arp anti-attack check user-bind check-item (interface view) or arp anti-attack check user-bind check-item (VLAN or BD view) command to configure check items for ARP packet check based on binding entries.
Precautions
When resources are sufficient, DAI can be enabled in a maximum of 10 VLANs.