< Home

arp anti-attack check user-bind enable

Function

The arp anti-attack check user-bind enable command enables dynamic ARP inspection (DAI).

The undo arp anti-attack check user-bind enable command disables DAI.

By default, DAI is disabled.

Format

arp anti-attack check user-bind enable

undo arp anti-attack check user-bind enable

Parameters

None

Views

VAP profile view

Default Level

2: Configuration level

Usage Guidelines

DAI allows an AP to detect the ARP Request and Reply packets transmitted on the VAPs of the AP, to discard invalid and attack ARP packets, and to send an alarm to the connected AC. This function prevents ARP packets of unauthorized users from accessing the external network through the AP, protecting authorized users against interference or spoofing, and protecting the AP.

  • Invalid ARP packets: The source IP and MAC addresses of ARP Request and Reply packets do not match.
  • Attack ARP packets: When an AP receives a large number of consecutive ARP packets and the number of ARP packets exceeds the ARP attack alarm threshold, an ARP attack occurs.

Example

# Enable DAI.

<HUAWEI> system-view
[HUAWEI] wlan 
[HUAWEI-wlan-view] vap-profile name vap1
[HUAWEI-wlan-vap-prof-vap1] arp anti-attack check user-bind enable
Parent Topic: WLAN Security Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >