arp detection rule
Use arp detection rule to configure a user validity check rule.
Use undo arp detection rule to delete a user validity check rule.
Syntax
arp detection rule rule-id { deny | permit } ip { ip-address [ mask ] | any } mac { mac-address [ mask ] | any } [ vlan vlan-id ]
undo arp detection rule [ rule-id ]
Default
No user validity check rule is configured.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
rule-id: Assigns an ID to the user validity check rule. The ID value range is 0 to 511. A smaller value represents a higher priority.
deny: Denies matching ARP packets.
permit: Permits matching ARP packets.
ip { ip-address [ mask ] | any }: Specifies the sender IP address as the match criterion.
ip-address: Specifies an IP address in dotted decimal notation.
mask: Specifies the address mask in dotted decimal notation. If you do not specify the mask, the ip-address argument specifies a host IP address.
any: Matches any IP address.
mac { mac-address [ mask ] | any }: Specifies the sender MAC address as the match criterion.
mac-address: Specifies a MAC address in the H-H-H format.
mask: Specifies the MAC address mask in the H-H-H format. If you do not specify the mask, the argument specifies the host MAC address.
any: Matches any MAC address.
vlan vlan-id: Specifies the ID of a VLAN in the specified rule. The value range for the vlan-id argument is 1 to 4094. If you do not specify a VLAN, the packets' VLAN information is not checked.
Usage guidelines
A user validity check rule takes effect only when ARP attack detection is enabled.
If you do not specify a rule ID, the undo arp detection rule command deletes all user validity check rules.
Examples
# Configure a user validity check rule and enable ARP detection for VLAN 2.
<Sysname> system-view [Sysname] arp detection rule 0 permit ip 10.1.1.1 255.255.0.0 mac 0001-0203-0405 ffff-ffff-0000 [Sysname] vlan 2 [Sysname-vlan2] arp detection enable
Related commands
arp detection enable