arp detection

Syntax

arp detection id-number { permit | deny } ip { any | ip-address [ ip-address-mask ] } mac { any | mac-address [ mac-address-mask ] } [ vlan vlan-id ]

undo arp detection id-number

Views

System view

Default level

2: System level

Parameters

id-number: Specifies the ID of the rule, in the range of 0 to 511. A lower value refers to a higher priority.

deny: Denies ARP packets matching the rule.

permit: Permit ARP packets matching the rule.

ip { any | ip-address [ ip-address-mask ] }: Specifies an IP address range for matching sender IP addresses of ARP packets.

mac { any | mac-address [ mac-address-mask ] }: Specifies a MAC address range for matching sender MAC addresses of ARP packets.

vlan vlan-id: Specifies the VLAN where the rule applies. The vlan-id argument is in the range of 1 to 4094.

Description

Use arp detection to set a rule for user validity check.

Use undo arp detection to restore the default.

By default, no rule is set for user validity check.

User validity check inspects each ARP packet received on an ARP untrusted interface against the configured rules. If a match is found, the ARP packet is processed according to the matching rule. If no match is found, the device checks the packet against static IP Source Guard binding entries, the DHCP snooping entries, 802.1X security entries, and OUI MAC addresses in turn.

Related command: arp detection enable.

Examples

# Set a rule for user validity check and enable user validity check.

<Sysname> system-view
[Sysname] arp detection 0 permit ip 3.1.1.1 255.255.0.0 mac 0001-0203-0607 ffff-ffff-0000
[Sysname] vlan 1
[Sysname-Vlan1] arp detection enable