ARP Detection Configuration

show anti-attack-check config

[Command] show anti-attack-ckeck config

[Purpose] View ARP detection configuration

[View] System view

[Use Cases]

sonic# show anti-attack-check config
+--------------+--------------+
| Interfaces | Check mode |
+==============+==============+
| Vlan43 | true |
+--------------+--------------+

arp anti-attack-check enable

[Command] arp anti-attack-check enable no arp anti-attack-check enable

[Purpose] Enable the ARP detection function of the interface

[View] VLAN view

[Notes] After enabling ARP Snooping detection function, the device will compare the source IP, source MAC, snooping table entry and User-bind table entry of the received ARP packet, if it can hit, the user of the ARP packet is a legitimate user and the ARP packet of this user is allowed to pass, otherwise it is considered an illegal user and the ARP packet is dropped.

[Use Cases]

sonic(config)# vlan 100
sonic(config-vlan-100)# arp anti-attack-check enable

arp anti-attack-check trusted-interface

[Command] arp anti-attack-check trusted-interface vlanVLAN-ID no arp anti-attack-check trusted-interface vlanVLAN-ID

[Purpose] Configuring ARP detection trusted ports

[View] VLAN view

[Notes] After configured as an ARP detection trusted port, ARP packets received from this port will not be checked and all are allowed to pass.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# arp anti-attack-check trusted-interface vlan 10

arp anti-attack-check alarm enable

[Command] arp anti-attack-check alarm enable arp anti-attack-check alarm thresholdalarm_threshold

[Purpose] Enable the packet inspection alarm function

[View] Interface view

[Notes] When this feature is enabled, when the packets discarded on the device due to the packet inspection function exceed the alarm threshold, a log is recorded.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# arp anti-attack-check alarm enable