< Home

arp anti-attack entry-check enable

Function

The arp anti-attack entry-check enable command enables ARP entry fixing.

The undo arp anti-attack entry-check enable command disables ARP entry fixing.

By default, ARP entry fixing is disabled.

Format

arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

undo arp anti-attack entry-check [ fixed-mac | fixed-all | send-ack ] enable

Parameters

Parameter Description Value
fixed-mac

Indicates ARP entry fixing in fixed-mac mode.

When receiving an ARP packet, the device discards the packet if the MAC address does not match the MAC address in the corresponding ARP entry. If the MAC address in the ARP packet matches that in the corresponding ARP entry while the interface number or VLAN ID does not match that in the ARP entry, the device updates the interface number or VLAN ID in the ARP entry.

 -
fixed-all

Indicates ARP entry fixing in fixed-all mode.

When the MAC address, interface number, and VLAN ID of an ARP packet match those in the corresponding ARP entry, the device updates other information about the ARP entry.

-
send-ack

Indicates ARP entry fixing in send-ack mode.

When the device receives an ARP packet with a changed MAC address, interface number, or VLAN ID, it does not immediately update the corresponding ARP entry. Instead, the device sends a unicast ARP Request packet to the user with the IP address mapped to the original MAC address in the ARP entry, and then determines whether to change the MAC address, VLAN ID, or interface number in the ARP entry depending on the response from the user.

 -

Views

System view, VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To defend against ARP address spoofing attacks, enable ARP entry fixing. The fixed-mac, fixed-all, and send-ack modes are applicable to different scenarios and are mutually exclusive:
  • The fixed-mac mode applies to networks where user MAC addresses are unchanged but user access locations often change. When a user connects to a different interface on the device, the device updates interface information in the ARP entry of the user timely.
  • The fixed-all mode applies to networks where user MAC addresses and user access locations are fixed.
  • The send-ack mode applies to networks where user MAC addresses and user access locations often change.

Precautions

After ARP entry fixing is enabled, the function that updates ARP entries when MAC address entries change (configured by the mac-address update arp command) becomes invalid.

In send-ack mode, the device can record a maximum of 100 ARP entries in the ARP Request packets intended to trigger ARP entry modification.

If you run the arp anti-attack entry-check enable command in the system view, ARP entry fixing is enabled on all interfaces. If you run the arp anti-attack entry-check enable command in the interface view, ARP entry fixing is enabled on the specified interface.

If ARP entry fixing is enabled globally and on a VLANIF interface simultaneously, the configuration on the VLANIF interface takes precedence over the global configuration.

Example

# Enable ARP entry fixing and specify the fixed-mac mode.
<HUAWEI> system-view
[HUAWEI] arp anti-attack entry-check fixed-mac enable
Parent Topic: ARP Security Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >