arp validate
Function
The arp validate command enables an interface to check the received Address Resolution Protocol (ARP) packet to determine whether the source MAC address and destination MAC address in the Ethernet packet header are respectively the same as those in the Data field of the ARP packet.
The undo arp validate command disables the function.
By default, consistency is not checked for ARP packets.
Format
arp validate { source-mac | destination-mac } *
undo arp validate { source-mac | destination-mac } *
Parameters
| Parameter | Description | Value |
|---|---|---|
| source-mac | Indicates that an interface checks the received ARP packet to determine whether the source MAC address in the Ethernet packet header is the same as that in the Data field of the ARP packet. | - |
| destination-mac | Indicates that an interface checks the received ARP packet to determine whether the destination MAC address in the Ethernet packet header is the same as that in the Data field of the ARP packet. | - |
Usage Guidelines
On the metro Ethernet, there are various ARP attacks. To protect the network, you need to configure ARP security features at the access layer or convergence layer of the network to protect against ARP attacks.
If there are ARP spoofing attacks on the network, you can run the arp validate command to enable an interface to check the received ARP packet to determine whether the source MAC address and destination MAC address in the Ethernet packet header are respectively the same as those in the Data field of the ARP packet. If they are not the same, the ARP packet is discarded. If they are the same, the ARP packet is forwarded.
- If source-mac is specified:
- After receiving an ARP Request packet, an interface only checks whether the source MAC address in the Ethernet packet header is consistent with that in the Data field of the ARP packet.
- After receiving an ARP Response packet, an interface only checks whether the source MAC address in the Ethernet packet header is consistent with that in the Data field of the ARP packet.
- If destination-mac is specified:
After receiving an ARP Request packet, an interface does not check whether the destination MAC address in the Ethernet packet header is consistent with that in the Data field of the ARP packet because ARP packets are broadcast packets.
- After receiving an ARP Response packet, an interface only checks whether the destination MAC address in the Ethernet packet header is consistent with that in the Data field of the ARP packet.
- If both source-mac and destination-mac are specified:
- After receiving an ARP Request packet, an interface only checks whether the source MAC address in the Ethernet packet header is consistent with that in the Data field of the ARP packet.
- After receiving an ARP Response packet, an interface checks whether both the source MAC address and destination MAC address in the Ethernet packet header are respectively the same as those in the Data field of the ARP packet.
On the FW, the MAC address of a logical interface, such as a sub-interface and a VLANIF interface, is the same as that of the physical interface where the logical interface is configured.
- The arp validate command cannot be run on sub-interfaces. When a sub-interface receives an ARP packet, the main interface where the sub-interface is configured checks the ARP packet to determine whether the destination MAC address in the Ethernet packet header is the same as that in the Data field of the ARP packet. If they are the same, the sub-interface forwards the ARP packet. If they are not the same, the sub-interface discards the ARP packet.
- The arp validate command cannot be run on VLANIF interfaces. When a VLANIF interface receives an ARP packet, the physical interface that belongs to the VLAN for which the VLANIF interface is configured checks the ARP packet to determine whether the destination MAC address in the Ethernet packet header is the same as that in the Data field of the ARP packet. If they are the same, the VLANIF interface forwards the ARP packet. If they are not the same, the VLANIF interface discards the ARP packet.
Example
# Enable GE 1/0/1 to check the received ARP packet to determine whether the source MAC address and destination MAC address in the Ethernet packet header are respectively the same as those in the Data field of the ARP packet.
<sysname> system-view
[sysname] interface GigabitEthernet 0/0/1
[sysname-GigabitEthernet 0/0/1] arp validate source-mac destination-mac