630
arp detection rule
Use
arp detection rule
to configure a user validity check rule.
Use
undo arp detection rule
to delete a user validity check rule.
Syntax
arp detection rule rule-id
{
deny
|
permit
}
ip
{
ip-address
[
mask
] |
any
}
mac
{
mac-address
[
mask
] |
any
} [
vlan
vlan-id
]
undo arp detection rule
[
rule-id
]
Default
No user validity check rule is configured.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
rule-id
: Assigns an ID to the user validity check rule. The ID value range is 0 to 511. A smaller value
represents a higher priority.
deny
: Denies matching ARP packets.
permit
: Permits matching ARP packets.
ip
{
ip-address
[
mask
] |
any
}: Specifies the sender IP address as the match criterion.
•
ip-address
: Specifies an IP address in dotted decimal notation.
•
mask
: Specifies the address mask in dotted decimal notation. If you do not specify the mask,
the
ip-address
argument specifies a host IP address.
•
any
: Matches any IP address.
mac
{
mac-address
[
mask
] |
any
}: Specifies the sender MAC address as the match criterion.
•
mac-address
: Specifies a MAC address in the H-H-H format.
•
mask
: Specifies the MAC address mask in the H-H-H format. If you do not specify the mask, the
argument specifies the host MAC address.
•
any
: Matches any MAC address.
vlan
vlan-id
: Specifies the ID of a VLAN in the specified rule. The value range for the
vlan-id
argument is 1 to 4094. If you do not specify a VLAN, the packets' VLAN information is not checked.
Usage guidelines
A user validity check rule takes effect only when ARP attack detection is enabled.
If you do not specify a rule ID, the
undo arp detection rule
command deletes all user validity check
rules.
Examples
# Configure a user validity check rule and enable ARP detection for VLAN 2.
<Sysname> system-view
[Sysname] arp detection rule 0 permit ip 10.1.1.1 255.255.0.0 mac 0001-0203-0405
ffff-ffff-0000
[Sysname] vlan 2