The arp snooping anti-attack check enable command enables ARP snooping detection on an interface.
The undo arp snooping anti-attack check enable command disables ARP snooping detection on an interface.
By default, ARP snooping detection is disabled on an interface.
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group interface
Usage Scenario
If forged ARP packets are sent in a man-in-the-middle (MITM) attack, two communicating devices learn an incorrect address mapping of each other and the data of authorized users is intercepted by the attacker. To prevent this problem, you can enable ARP snooping detection on the device. After ARP snooping detection is enabled, the device compares the source IP address, source MAC address, port number, and VLAN information in a received ARP packet with those in the ARP snooping table. If no ARP snooping entry with the same source IP address and VLAN information as the ARP packet is found, the device creates an ARP snooping entry. If an ARP snooping entry with the same source IP address and VLAN information is found and other information matches, the device determines that the user who sends the ARP packet is a valid user and allows the ARP packet to pass. If an ARP snooping entry with the same source IP address and VLAN information is found but other information does not match, the device discards the ARP packet.
Prerequisites
# Enable ARP snooping detection on GE0/0/1.
<HUAWEI> system-view [HUAWEI] arp snooping enable [HUAWEI] arp snooping anti-attack entry-check fixed-mac enable [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp snooping enable [HUAWEI-GigabitEthernet0/0/1] arp snooping anti-attack check enable