Command Line Reference
Security Configuration
ARP Detection Configuration
5 min
arp detection configuration show anti attack check config \[command] show anti attack ckeck config \[purpose] view arp detection configuration \[view] system view sonic# show anti attack check config + + + + \| interface | check mode | trusted interfaces | +=============+==============+======================+ + + + + arp anti attack check {enable|trusted} \[command] arp anti attack check {enable|trusted} no arp anti attack check {enable|trusted} \[purpose] enable arp detection on the interface \[view] interface view \[usage scenario] after enabling the arp snooping detection feature, the device compares the source ip, source mac, and information from the snooping table entries and user bind table entries for received arp packets if a match is found, it indicates that the user associated with the arp packet is a legitimate user, and arp packets from this user are permitted to pass otherwise, it is considered an unauthorized user, and the arp packet is discarded when multiple vlans are bound to an interface, enabling arp anti attack check trusted causes all vlan packets entering that interface to be trusted \[notes] the arp anti attack check enable and arp anti attack check trusted settings cannot be enabled simultaneously on the same interface sonic(config)# interface ethernet 1 sonic(config if 1)# arp anti attack check enable arp anti attack check enable \[command] arp anti attack check enable no arp anti attack check enable \[purpose] enable the arp detection function \[view] vlan view,interface view \[usage scenario] after enabling arp snooping detection function, the device will compare the source ip, source mac, snooping table entry and user bind table entry of the received arp packet, if it can hit, the user of the arp packet is a legitimate user and the arp packet of this user is allowed to pass, otherwise it is considered an illegal user and the arp packet is dropped sonic(config)# vlan 100 sonic(config vlan 100)# arp anti attack check enable arp anti attack check trusted interface \[command] arp anti attack check trust interface ethernet interface id no arp anti attack check trust interface ethernet interface id \[purpose] configure arp detection trusted ports \[view] vlan view \[usage scenario] after issuing this command, the device will no longer compare the source ip, source mac, interface, and other information in the arp packets received on the port with the information in the binding table, allowing arp packets from this user to pass through \[notes] when configured as an arp detection trusted port, arp packets received on this port will not be inspected and will be permitted to pass through unchecked sonic(config)# vlan 1 sonic(config if 1)# arp anti attack check trust interface ethernet 2
