< Home

display arp anti-attack configuration

Function

The display arp anti-attack configuration command displays the ARP anti-attack configuration.

Format

display arp anti-attack configuration { arp-rate-limit | arp-speed-limit | entry-check | arpmiss-rate-limit | arpmiss-speed-limit | gateway-duplicate | log-trap-timer | packet-check | all } (Only the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720-LI, S6720S-EI, S6720S-LI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support arpmiss-rate-limit, arpmiss-speed-limit and gateway-duplicate.)

Parameters

Parameter

Description

Value

arp-rate-limit

Displays the configuration of rate limit on ARP packets globally, in a VLAN, or on an interface.

-

arp-speed-limit

Displays the configuration of rate limit on ARP packets based on the source IP address or source MAC address.

-

entry-check

Displays the ARP entry fixing mode.

-

arpmiss-rate-limit

Displays the configuration of rate limit on ARP Miss messages globally, in a VLAN, or on an interface.

-

arpmiss-speed-limit

Displays the configuration of rate limit on ARP Miss messages based on the source IP address.

-

gateway-duplicate

Displays whether gateway anti-collision is enabled.

-

log-trap-timer

Displays the interval for sending ARP alarms.

-

packet-check

Displays whether ARP packet validity check is enabled.

-

all

Displays all ARP anti-attack configurations.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After all ARP anti-attack functions are configured, you can run this command to check all configurations.

Example

# Display the configuration of rate limit on ARP packets based on the source IP address or source MAC address.
<HUAWEI> display arp anti-attack configuration arp-speed-limit
ARP speed-limit for source-MAC configuration:                                   
MAC-address         suppress-rate(pps)(rate=0 means function disabled)          
------------------------------------------------------------------------------- 
All                 0                                                           
------------------------------------------------------------------------------- 
The number of configured specified MAC address(es) is 0, spec is 512.          
                                                                                
ARP speed-limit for source-IP configuration:                                    
IP-address          suppress-rate(pps)(rate=0 means function disabled)          
------------------------------------------------------------------------------- 
10.1.1.1            100                                                         
Others              0                                                          
------------------------------------------------------------------------------- 
The number of configured specified IP address(es) is 1, spec is 512.
# Display the configuration of rate limit on ARP Miss messages based on the source IP address.
<HUAWEI> display arp anti-attack configuration arpmiss-speed-limit
 ARP miss speed-limit for source-IP configuration:
 IP-address          suppress-rate(pps)(rate=0 means function disabled)
 ------------------------------------------------------------------------
 10.0.0.30/32        400
 Others              0 
 ------------------------------------------------------------------------
 The number of configured specified IP address(es) is 1, spec is 512.
# Display the ARP entry fixing mode.
<HUAWEI> display arp anti-attack configuration entry-check
 ARP anti-attack entry-check mode:                                              
 Vlanif      Mode                                                               
------------------------------------------------------------------------------- 
 All         send-ack                                                           
-------------------------------------------------------------------------------
# Display all ARP anti-attack configurations.
<HUAWEI> display arp anti-attack configuration all
ARP anti-attack packet-check configuration:
-------------------------------------------------------------------------------
Sender-MAC checking function: disable
Dst-MAC checking function: disable
IP checking function: disable
-------------------------------------------------------------------------------

ARP gateway-duplicate anti-attack function: disabled

ARP anti-attack log-trap-timer: 0 second(s)
(The log and trap timer of speed-limit, default is 0 and means disabled.)

ARP anti-attack entry-check mode:
Vlanif      Mode
-------------------------------------------------------------------------------
All         disabled
-------------------------------------------------------------------------------

ARP rate-limit configuration:
-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
  GigabitEthernet0/0/10 :
    arp anti-attack rate-limit enable
    arp anti-attack rate-limit packet 10 interval 1
VLAN configuration:
-------------------------------------------------------------------------------

ARP miss rate-limit configuration:
-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
VLAN configuration:
-------------------------------------------------------------------------------

ARP speed-limit for source-MAC configuration:
MAC-address         suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
All                 0
-------------------------------------------------------------------------------
The number of configured specified MAC address(es) is 0, spec is 512.

ARP speed-limit for source-IP configuration:
IP-address          suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
All                 0
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 0, spec is 512.

ARP miss speed-limit for source-IP configuration:
IP-address          suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
All                 500
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 0, spec is 512.
Table 1 Description of the display arp anti-attack configuration all command output

Item

Description

ARP anti-attack packet-check configuration

Whether ARP packet validity check is enabled.

  • Sender-mac checking function indicates that the source MAC address is checked.

  • Dst-mac checking function indicates that the destination MAC address is checked.

  • Ip checking function indicates that the IP address is checked.

You can run the arp anti-attack packet-check command to enable ARP packet validity check.

ARP gateway-duplicate anti-attack function

Whether ARP gateway anti-collision is enabled.

You can run the arp anti-attack gateway-duplicate enable command to enable ARP gateway anti-collision.

ARP anti-attack log-trap-timer

Interval for sending ARP alarms

You can run the arp anti-attack log-trap-timer command to set the interval for sending ARP alarms.

ARP anti-attack entry-check mode
ARP entry fixing mode. Vlanif specifies the interface to which the ARP entry fixing mode is applied. The modes include:
  • fixed-mac
  • fixed-all
  • send-ack
  • disabled

You can run the arp anti-attack entry-check enable command to set the ARP entry fixing mode.

ARP rate-limit configuration

Configuration of rate limit on ARP packets.

  • Global configuration indicates the global configuration of rate limit on ARP packets.

  • Interface configuration indicates the configuration of rate limit on ARP packets on an interface.

  • Vlan configuration indicates the configuration of rate limit on ARP packets in a VLAN.

You can run the arp anti-attack rate-limit command to configure rate limit on ARP packets.

ARP miss rate-limit configuration

Configuration of rate limit on ARP Miss messages.

  • Global configuration indicates the global configuration of rate limit on ARP Miss messages.

  • Interface configuration indicates the configuration of rate limit on ARP Miss messages on an interface.

  • Vlan configuration indicates the configuration of rate limit on ARP Miss messages in a VLAN.

You can run the anti-attack rate-limit command to configure rate limit on ARP Miss messages.

ARP speed-limit for source-MAC configuration

Rate limit on ARP packets based on the source MAC address.

You can run the arp speed-limit source-mac command to configure rate limit on ARP packets based on the source MAC address.

ARP speed-limit for source-IP configuration

Rate limit on ARP packets based on the source IP address.

You can run the arp speed-limit source-ip command to configure rate limit on ARP packets based on the source IP address.

ARP miss speed-limit for source-IP configuration

Rate limit on ARP Miss messages based on source IP addresses.

You can run the arp-miss speed-limit source-ip command to configure rate limit on ARP Miss messages based on the source IP address.

The number of configured specified MAC address(es) is 0, spec is 512.

Number (0) of the configured source MAC addresses based on which the rate of ARP packets or ARP Miss messages is limited, and the maximum value (512) allowed.

The number of configured specified IP address(es) is 1, spec is 512.

Number (1) of the configured source IP addresses based on which the rate of ARP packets or ARP Miss messages is limited, and the maximum value (512) allowed.

MAC-address
Rate limit on ARP packets based on a specified MAC address.
  • ALL indicates all MAC addresses.
  • Others indicates other MAC addresses except for the specified MAC address.

IP-address
Rate limit on ARP packets and ARP Miss messages based on a specified IP address.
  • ALL indicates all IP addresses.
  • Others indicates other IP addresses except for the specified IP address.

suppress-rate

Rate limit on ARP packets and ARP Miss messages. Value 0 indicates that the rate limit function is disabled for ARP packets and ARP Miss messages.

You can run the arp anti-attack rate-limit packet packet-number command to configure the rate limit of ARP packets, and run the arp-miss anti-attack rate-limit packet packet-number command to configure the rate limit of ARP Miss messages.
Parent Topic: ARP Security Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >