F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Command Reference-6PW100
48
Default
The port is an ARP untrusted port.
Views
Layer 2 Ethernet interface view, Layer 2 aggregate interface view
Default command level
2: System level
Examples
# Configure GigabitEthernet 0/1 as an ARP trusted port.
<Sysname> system-view
[Sysname] interface gigabitethernet 0/1
[Sysname-GigabitEthernet0/1] arp detection trust
arp detection validate
Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to
be checked in one command line.
Use undo arp detection validate to disable ARP packet validity check. If you do not specify any keyword,
this command deletes all objects.
Syntax
arp detection validate { dst-mac | ip | src-mac } *
undo arp detection validate [ dst-mac | ip | src-mac ] *
Default
ARP packet validity check is disabled.
Views
System view
Default command level
2: System level
Parameters
dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one,
or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid
and discarded.
ip: Checks the source and destination IP addresses of ARP packets. The all-zero, all-one, or multicast IP
addresses are considered invalid and the corresponding packets are discarded. With this keyword
specified, the source and destination IP addresses of ARP replies, and the source IP address of ARP
requests are checked.
src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source MAC
address in the Ethernet header. If they are identical, the packet is considered valid. Otherwise, the packet
is discarded.
Examples
# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.
<Sysname> system-view