arp anti-attack check user-bind enable (network enhanced profile view)

Function

The arp anti-attack check user-bind enable command configures dynamic ARP inspection (DAI) in a network enhanced profile.

The undo arp anti-attack check user-bind enable command disables DAI in a network enhanced profile.

By default, DAI is not configured in a network enhanced profile.

This command can only be executed on a parent switch.

Format

arp anti-attack check user-bind enable

undo arp anti-attack check user-bind enable

Parameters

None

Views

Network enhanced profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After creating a network enhanced profile, you can configure DAI in the profile. After the profile is bound to an AS port, DAI is automatically enabled on the port. The following configuration is generated on the AS port:

#
 arp anti-attack rate-limit enable
 arp anti-attack rate-limit packet 5 interval 1
 arp anti-attack check user-bind enable
 arp anti-attack check user-bind alarm enable
#

You can configure DAI to prevent Man in The Middle (MITM) attacks and theft on authorized user information. When a device receives an ARP packet, it compares the source IP address, source MAC address, interface number, and VLAN ID of the ARP packet with DHCP snooping binding entries. If the ARP packet matches a binding entry, the device allows the packet to pass through. If the ARP packet does not match any binding entry, the device discards the packet.

Prerequisites

DHCP snooping has been enabled in the network enhanced profile using the dhcp snooping enable command.

Example

# Enable DAI in a network enhanced profile.

<HUAWEI> system-view
[HUAWEI] uni-mng
[HUAWEI-um] network-enhanced-profile name profile_1
[HUAWEI-um-net-enhanced-profile_1] dhcp snooping enable
[HUAWEI-um-net-enhanced-profile_1] arp anti-attack check user-bind enable