The arp anti-attack packet-check command enables ARP packet validity check and specifies check items.
The undo arp anti-attack packet-check command disables ARP packet validity check.
By default, ARP packet validity check is disabled.
arp anti-attack packet-check { ip | dst-mac | sender-mac } *
undo arp anti-attack packet-check [ ip | dst-mac | sender-mac ] *
| Parameter | Description | Value |
|---|---|---|
| ip | Indicates ARP packet validity check based on the IP address. | - |
| dst-mac | Indicates ARP packet validity check based on the destination MAC address. | - |
| sender-mac | Indicates ARP packet validity check based on the source MAC address. | - |
Usage Scenario
To avoid ARP attacks, you can use the arp anti-attack packet-check command to enable ARP packet validity check on an access device or a gateway to filters out ARP packets with invalid IP addresses or MAC addresses. The device checks validity of an ARP packet based on each or any combination of the following items:
Source and destination IP addresses: The device checks the source and destination IP addresses in an ARP packet. If the source or destination IP address is all 0s, all 1s, or a multicast IP address, the device discards the packet as an invalid packet. The device checks both the source and destination IP addresses in an ARP Reply packet but checks only the source IP address in an ARP Request packet.
Source MAC address: The device compares the source MAC address in an ARP packet with that in the Ethernet frame header. If they are the same, the packet is valid. If they are different, the device discards the packet.
Destination MAC address: The device compares the destination MAC address in an ARP packet with that in the Ethernet frame header. If they are the same, the packet is valid. If they are different, the device discards the packet.
Precautions
Generally, packets with different source and destination MAC addresses in the ARP packet and Ethernet frame header are allowed by the ARP protocol. When an attack occurs, capture and analyze packets. If the attack is initiated by using inconsistent source or destination MAC addresses in the ARP packet and Ethernet frame header, enable ARP packet validity check based on the source or destination MAC address.
If you run the arp anti-attack packet-check sender-mac command multiple times, all the check items specified in these commands take effect.