arp snooping anti-attack entry-check enable

Function

The arp snooping anti-attack entry-check enable command enables ARP snooping entry fixing.

The undo arp snooping anti-attack entry-check enable command disables ARP snooping entry fixing.

By default, ARP snooping entry fixing is disabled.

Format

arp snooping anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

undo arp snooping anti-attack entry-check [ fixed-mac | fixed-all | send-ack ] enable

Parameters

Parameter	Description	Value
fixed-mac	Indicates ARP snooping entry fixing in fixed-mac mode. When receiving an ARP packet, the device discards the packet if its MAC address does not match the MAC address in the corresponding ARP snooping entry. If the MAC address in the ARP packet matches that in the corresponding ARP snooping entry while the interface information does not match that in the ARP snooping entry, the device updates the interface information in the ARP snooping entry.	-
fixed-all	Indicates ARP snooping entry fixing in fixed-all mode. When the MAC address and interface information of an ARP packet match those in the corresponding ARP snooping entry, the device updates other information in the ARP snooping entry.	-
send-ack	Indicates ARP snooping entry fixing in send-ack mode. When the device receives an ARP packet with a changed MAC address or different interface information, it does not immediately update the corresponding ARP snooping entry. Instead, the device sends a unicast ARP Request packet to the user corresponding to the original MAC address in the ARP snooping entry. If the device receives an ARP Reply packet from the user, the device does not update the ARP snooping entry. If the device does not receive an ARP Reply packet from the user, the device sends a unicast ARP Request packet to the user corresponding to the new MAC address. Regardless of whether the device receives an ARP Reply packet from this user, the device updates the ARP snooping entry based on the ARP packets sent from the user if this user continuously sends ARP Request packets to the device.	-

Parameter

Description

Value

fixed-mac

Indicates ARP snooping entry fixing in fixed-mac mode.

When receiving an ARP packet, the device discards the packet if its MAC address does not match the MAC address in the corresponding ARP snooping entry. If the MAC address in the ARP packet matches that in the corresponding ARP snooping entry while the interface information does not match that in the ARP snooping entry, the device updates the interface information in the ARP snooping entry.

fixed-all

Indicates ARP snooping entry fixing in fixed-all mode.

When the MAC address and interface information of an ARP packet match those in the corresponding ARP snooping entry, the device updates other information in the ARP snooping entry.

send-ack

Indicates ARP snooping entry fixing in send-ack mode.

When the device receives an ARP packet with a changed MAC address or different interface information, it does not immediately update the corresponding ARP snooping entry. Instead, the device sends a unicast ARP Request packet to the user corresponding to the original MAC address in the ARP snooping entry. If the device receives an ARP Reply packet from the user, the device does not update the ARP snooping entry. If the device does not receive an ARP Reply packet from the user, the device sends a unicast ARP Request packet to the user corresponding to the new MAC address. Regardless of whether the device receives an ARP Reply packet from this user, the device updates the ARP snooping entry based on the ARP packets sent from the user if this user continuously sends ARP Request packets to the device.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an attacker forges ARP packets, the device learns incorrect ARP snooping entries. As a result, users cannot receive data packets. To prevent this problem, you can enable the ARP snooping entry fixing function on the device. Once the device enabled with this function learns an ARP snooping entry, it does not update the ARP snooping entry, only updates some information in the ARP snooping entry, or sends a unicast ARP Request packet to check the validity of the new ARP snooping entry. The device provides three ARP snooping entry fixing modes, which are applicable to different scenarios.

fixed-mac: This mode applies to networks where user MAC addresses are unchanged but user access locations often change. When a user connects to a different interface on the device, the device updates interface information in the ARP snooping entry of the user timely.
fixed-all: This mode applies to networks where user MAC addresses and user access locations are fixed.
send-ack: This mode applies to networks where user MAC addresses and user access locations often change.

Prerequisites

ARP snooping has been enabled by running the arp snooping enable command in the system view.

Precautions

An ARP snooping entry is created based on the source IP address and VLAN information of an ARP packet. Therefore, ARP snooping entry fixing is performed only when the source IP address and VLAN information of an ARP packet are the same as those in an existing ARP snooping entry.
The three ARP snooping entry fixing modes are mutually exclusive.
Before disabling ARP snooping entry fixing, ensure that ARP snooping detection is disabled on all interfaces.

Example

# Enable ARP snooping entry fixing and specify the fixed-mac mode.

<HUAWEI> system-view
[HUAWEI] arp snooping enable
[HUAWEI] arp snooping anti-attack entry-check fixed-mac enable