Skip to content
AsterNOS
Ask AI

ARP Detection Configuration

show anti-attack-check config

Section titled “show anti-attack-check config”

[Command] show anti-attack-ckeck config

[Purpose] View ARP detection configuration

[View] System view

sonic# show anti-attack-check config
+-------------+--------------+----------------------+
| Interface   | Check mode   | Trusted interfaces   |
+=============+==============+======================+
+-------------+--------------+----------------------+

arp anti-attack-check {enable|trusted}

Section titled “arp anti-attack-check {enable|trusted}”

[Command] arp anti-attack-check {enable|trusted} no arp anti-attack-check {enable|trusted}

[Purpose] Enable ARP detection on the interface

[View] Interface View

[Usage Scenario] After enabling the ARP Snooping detection feature, the device compares the source IP, source MAC, and information from the snooping table entries and User-bind table entries for received ARP packets. If a match is found, it indicates that the user associated with the ARP packet is a legitimate user, and ARP packets from this user are permitted to pass. Otherwise, it is considered an unauthorized user, and the ARP packet is discarded. When multiple VLANs are bound to an interface, enabling arp anti-attack-check trusted causes all VLAN packets entering that interface to be trusted.

[Notes] The arp anti-attack-check enable and arp anti-attack-check trusted settings cannot be enabled simultaneously on the same interface.

sonic(config)# interface ethernet 1
sonic(config-if-1)# arp anti-attack-check enable

arp anti-attack-check enable

Section titled “arp anti-attack-check enable”

[Command] arp anti-attack-check enable no arp anti-attack-check enable

[Purpose] Enable the ARP detection function

[View] VLAN view,Interface view

[Usage Scenario] After enabling ARP Snooping detection function, the device will compare the source IP, source MAC, snooping table entry and User-bind table entry of the received ARP packet, if it can hit, the user of the ARP packet is a legitimate user and the ARP packet of this user is allowed to pass, otherwise it is considered an illegal user and the ARP packet is dropped.

sonic(config)# vlan 100
sonic(config-vlan-100)# arp anti-attack-check enable

arp anti-attack-check trusted-interface

Section titled “arp anti-attack-check trusted-interface”

[Command] arp anti-attack-check trust interface ethernet interface_id no arp anti-attack-check trust interface ethernet interface_id

[Purpose] Configure ARP Detection Trusted Ports

[View] Vlan view

[Usage Scenario] After issuing this command, the device will no longer compare the source IP, source MAC, interface, and other information in the ARP packets received on the port with the information in the binding table, allowing ARP packets from this user to pass through.

[Notes] When configured as an ARP detection trusted port, ARP packets received on this port will not be inspected and will be permitted to pass through unchecked.

sonic(config)# vlan 1
sonic(config-if-1)# arp anti-attack-check trust interface ethernet 2