arp check-destination-ip enable

Function

The arp check-destination-ip enable command enables the destination address check for the ARP packet.

The undo arp check-destination-ip enable command disables the destination address check for the ARP packet.

By default, the destination address check for the ARP packet function is disabled.

Format

arp check-destination-ip enable

undo arp check-destination-ip enable

Parameters

None

Views

100ge sub-interface view, 100GE interface view, 10G LAN interface view, 10G WAN interface view, 25GE sub-interface view, 25GE interface view, 40GE interface view, Eth-Trunk sub-interface view, Eth-Trunk interface view, GE optical interface view, GE electrical interface view, Global VE sub-interface view, VBDIF interface view, VE sub-interface view, VLANIF interface view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
cpu-defend write

Usage Guidelines

Usage Scenario

The destination address check for the ARP packet can be enabled on all ARP-supported interfaces.

Attackers on networks send ARP packets with nonexistent destination IP addresses to cause high CPU usage on devices, affecting valid services. To resolve this problem, run the arp check-destination-ip enable command to enable destination address check for ARP packets.

After destination address check is enabled for ARP packets on a device, the device searches for a routing entry based on the VPN instance (VPN instance value of 0 if no VPN instance is bound to the interface) and destination IP address of an ARP packet.

  • If a routing entry is found, check whether it refers to a local or direct route.
  • If it refers to a local or direct route, the ARP packet passes the destination address check and is considered valid.
  • If it does not refer to a local or direct route, the ARP packet fails the destination address check and is considered invalid.
  • If no routing entry is found, the ARP packet fails the destination address check and is considered invalid.
  • A device simply drops an invalid packet to prevent high CPU usage and protect valid services.

Example

# Enable the destination address check of the ARP packet on Eth-Trunk1.
<HUAWEI> system-view
[~HUAWEI] interface Eth-Trunk1
[*HUAWEI-Eth-Trunk1] arp check-destination-ip enable
Parent Topic: ARP Security Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >