IP Services Volume Organization

Similar documents
Command Manual (For Soliton) IP Address-IP Performance. Table of Contents

Table of Contents 1 IP Address Configuration Commands IP Performance Configuration Commands 2-1

Table of Contents 1 IP Address Configuration Commands IP Performance Configuration Commands 2-1

IP performance optimization

tcp ipv6 timer fin-timeout 40 tcp ipv6 timer syn-timeout 40 tcp ipv6 window 41

HP FlexFabric 5930 Switch Series

Command Manual Network Protocol. Table of Contents

Contents. IP addressing configuration commands 1 display ip interface 1 display ip interface brief 3 ip address 5

HPE FlexNetwork 5510 HI Switch Series

HPE 5920 & 5900 Switch Series

HPE FlexNetwork 5510 HI Switch Series

H3C S3100V2 Switch Series

H3C S5120-HI Switch Series

HPE FlexFabric 7900 Switch Series

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

Operation Manual IP Addressing and IP Performance H3C S5500-SI Series Ethernet Switches. Table of Contents

H3C S3100V2-52TP Switch

Table of Contents 1 IP Addressing Configuration IP Performance Configuration 2-1

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

H3C S5130-HI Switch Series

H3C S5500-HI Switch Series

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

Table of Contents 1 IPv6 Basics Configuration 1-1

H3C S5500-HI Switch Series

H3C SR6600 Routers. Layer 3 IP Services. Command Reference. Hangzhou H3C Technologies Co., Ltd.

Operation Manual IPv6 H3C S3610&S5510 Series Ethernet Switches Table of Contents. Table of Contents

Configuring IPv6 basics

H3C S12500 Series Routing Switches

Operation Manual ARP H3C S5500-SI Series Ethernet Switches. Table of Contents

IPv4 and IPv6 Commands

H3C SecPath Series High-End Firewalls

Configuring ARP attack protection 1

Portal configuration commands

H3C S6800 Switch Series

Configuring ARP attack protection 1

Table of Contents. 2 Static Route Configuration Commands 2-1 Static Route Configuration Commands 2-1 delete static-routes all 2-1 ip route-static 2-1

HPE FlexNetwork MSR Router Series

ARP attack protection commands

HP 6125 Blade Switch Series

Operation Manual - Network and Routing Protocol. Table of Contents

Configuring attack detection and prevention 1

HP 5120 SI Switch Series

HP 3600 v2 Switch Series

Configuring attack detection and prevention 1

Configuring Routes on the ACE

K2289: Using advanced tcpdump filters

H3C S10500 Attack Protection Configuration Examples

HPE FlexFabric 5940 Switch Series

H3C S6800 Switch Series

Command Manual IPv4 Routing H3C S3610&S5510 Series Ethernet Switches. Table of Contents

HP A5830 Switch Series Layer 3 - IP Services. Configuration Guide. Abstract

HP A3100 v2 Switch Series

IPv6 Neighbor Discovery

Extended ACL Configuration Mode Commands

H3C S5560S-EI & S5130S-HI[EI] & S5110V2 & S3100V3-EI Switch Series

HP FlexFabric 5930 Switch Series

ICS 451: Today's plan

Operation Manual IPv4 Routing H3C S3610&S5510 Series Ethernet Switches. Table of Contents

Configuring IPv6 for Gigabit Ethernet Interfaces

Configuring IP Services

Chapter 6 Global CONFIG Commands

HP High-End Firewalls

H3C S5120-EI Switch Series

Network Protocol Configuration Commands

Configuring IP Services

History Page. Barracuda NextGen Firewall F

TCP /IP Fundamentals Mr. Cantu

IPv6 Neighbor Discovery

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

Configuring IPv4. Finding Feature Information. This chapter contains the following sections:

Command Manual MAC Address Table Management H3C S5500-EI Series Ethernet Switches. Table of Contents

Chapter 4 Software-Based IP Access Control Lists (ACLs)

CHAPTER-2 IP CONCEPTS

IPv6 Neighbor Discovery

Table of Contents 1 Ethernet Interface Configuration Commands 1-1

Troubleshooting DHCP server configuration 28

H3C S6520XE-HI Switch Series

Dongsoo S. Kim Electrical and Computer Engineering Indiana U. Purdue U. Indianapolis

H

H3C S5130-HI Switch Series

HP FlexFabric 5700 Switch Series

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

TCP/IP Protocol Suite

IPv4. Christian Grothoff.

H3C S6300 Switch Series

H3C S12500-X & S12500X-AF Switch Series

Loopback detection configuration commands

Table of Contents 1 Static Routing Configuration RIP Configuration 2-1

TCP/IP Networking. Part 4: Network and Transport Layer Protocols

H3C S5120-EI Switch Series

IPv6 Commands: ipv6 h to ipv6 mi

CS 457 Lecture 11 More IP Networking. Fall 2011

Configuring DHCP Features and IP Source Guard

CPSC 826 Internetworking. The Network Layer: Routing & Addressing Outline. The Network Layer

IP Routing Volume Organization

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Operation Manual DHCP H3C S5500-SI Series Ethernet Switches. Table of Contents. Table of Contents

H

HP High-End Firewalls

Transcription:

IP Services Volume Organization Manual Version 6W100-20090626 Product Version Release 1102 Organization The IP Services Volume is organized as follows: Features IP Address IP Performance Optimization ARP DHCP DNS An IP address is a 32-bit address allocated to a network interface on a device that is attached to the Internet. This document introduces the commands for IP address configuration In some network environments, you need to adjust the IP parameters to achieve best network performance. This document introduces the commands for: Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network Configuring TCP Attributes Configuring ICMP to Send Error Packets Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address. This document introduces the commands for: Configuring ARP Configuring Gratuitous ARP ARP Attack Defense configuration DHCP is built on a client-server model, in which the client sends a configuration request and then the server returns a reply to send configuration parameters such as an IP address to the client. This document introduces the commands for: DHCP Client configuration DHCP Snooping configuration BOOTP Client configuration Used in the TCP/IP application, Domain Name System (DNS) is a distributed database which provides the translation between domain name and the IP address. This document introduces the commands for Configuring the DNS Client

Features FTP and TFTP The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client over a TCP/IP network. The Trivial File Transfer Protocol (TFTP) provides functions similar to those provided by FTP. This document introduces the commands for: FTP Configuration TFTP Configuration

Table of Contents 1 IP Addressing Configuration Commands 1-1 IP Addressing Configuration Commands 1-1 display ip interface 1-1 display ip interface brief 1-3 ip address 1-4 i

1 IP Addressing Configuration Commands IP Addressing Configuration Commands display ip interface display ip interface [ interface-type interface-number ] Any view 1: Monitor level interface-type interface-number: Specifies an interface by its type and number. Use the display ip interface command to display information about a specified or all Layer 3 interfaces. # Display information about interface VLAN-interface 1. <Sysname> display ip interface vlan-interface 1 Vlan-interface1 current state : DOWN Line protocol current state : DOWN Internet Address is 1.1.1.1/8 Primary Broadcast address : 1.255.255.255 The Maximum Transmit Unit : 1500 bytes input packets : 0, bytes : 0, multicasts : 0 output packets : 0, bytes : 0, multicasts : 0 ARP packet input number: 0 Request packet: 0 Reply packet: 0 Unknown packet: 0 TTL invalid packet number: 0 ICMP packet input number: 0 Echo reply: 0 Unreachable: 0 Source quench: 0 Routing redirect: 0 Echo request: 0 1-1

Router advert: 0 Router solicit: 0 Time exceed: 0 IP header bad: 0 Timestamp request: 0 Timestamp reply: 0 Information request: 0 Information reply: 0 Netmask request: 0 Netmask reply: 0 Unknown type: 0 Table 1-1 display ip interface command output description Field current state Line protocol current state Internet Address Broadcast address The Maximum Transmit Unit input packets, bytes, multicasts output packets, bytes, multicasts ARP packet input number: Request packet: Reply packet: Unknown packet: TTL invalid packet number Current physical state of the interface, which can be Administrative DOWN: Indicates that the interface is administratively down; that is, the interface is shut down with the shutdown command. DOWN: Indicates that the interface is administratively up but its physical state is down, which may be caused by a connection or link failure. UP: Indicates that both the administrative and physical states of the interface are up. Current state of the link layer protocol, which can be DOWN: Indicates that the protocol state of the interface is down, which is usually because that no IP address is assigned to the interface. UP: Indicates that the protocol state of the interface is up. IP address of an interface followed by: Primary: Identifies a primary IP address, or Sub: Identifies a secondary IP address. Broadcast address of the subnet attached to an interface Maximum transmission units on the interface, in bytes Unicast packets, bytes, and multicast packets received on an interface (the statistics start at the device startup) Total number of ARP packets received on the interface (the statistics start at the device startup), including ARP request packets ARP reply packets Unknown packets Number of TTL-invalid packets received on the interface (the statistics start at the device startup) 1-2

Field ICMP packet input number: Echo reply: Unreachable: Source quench: Routing redirect: Echo request: Router advert: Router solicit: Time exceed: IP header bad: Timestamp request: Timestamp reply: Information request: Information reply: Netmask request: Netmask reply: Unknown type: Total number of ICMP packets received on the interface (the statistics start at the device startup), including the following packets: Echo reply packets Unreachable packets Source quench packets Routing redirect packets Echo request packets Router advertisement packets Router solicitation packets Time exceeded packets IP header bad packets Timestamp request packets Timestamp reply packets Information request packets Information reply packets Netmask request packets Netmask reply packets Unknown type packets display ip interface brief display ip interface brief [ interface-type [ interface-number ] ] Any view 1: Monitor level interface-type: Interface type. interface-number: Interface number. Use the display ip interface brief command to display brief information about a specified or all Layer 3 interfaces. Without the interface type and interface number specified, the information about all Layer 3 interfaces is displayed; with only the interface type specified, the information about all Layer 3 interfaces of the specified type is displayed; with both the interface type and interface number specified, only the information about the specified interface is displayed. Related commands: display ip interface. # Display brief information about VLAN interfaces. 1-3

<Sysname> display ip interface brief vlan-interface *down: administratively down (s): spoofing Interface Physical Protocol IP Address Vlan-interface1 up up 6.6.6.6 Vlan-inte... Vlan-interface2 up up 7.7.7.7 VLAN2 Table 1-2 display ip interface brief command output description Field *down: administratively down (s) : spoofing Interface Physical Protocol IP Address The interface is administratively shut down with the shutdown command. Spoofing attribute of the interface. It indicates that an interface whose network layer protocol is displayed up may have no link present or the link is set up only on demand. Interface name Physical state of the interface, which can be *down: Indicates that the interface is administratively down; that is, the interface is shut down with the shutdown command. down: Indicates that the interface is administratively up but its physical state is down, which may be caused by a connection or link failure. up: Indicates that both the administrative and physical states of the interface are up. Link layer protocol state of the interface, which can be down: Indicates that the protocol state of the interface is down, which is usually because that no IP address is assigned to the interface. up: Indicates that the protocol state of the interface is up. IP address of the interface (If no IP address is configured, unassigned is displayed.) Interface description information, for which at most 12 characters can be displayed. If there are more that 12 characters, only the first nine characters are displayed. ip address ip address ip-address { mask mask-length } [ sub ] undo ip address [ ip-address { mask mask-length } [ sub ] ] Interface view 1-4

ip-address: IP address of interface, in dotted decimal notation. mask: Subnet mask in dotted decimal notation. mask-length: Subnet mask length, the number of consecutive ones in the mask. sub: Secondary IP address for the interface. Use the ip address command to assign an IP address and mask to the interface. Use the undo ip address command to remove all IP addresses from the interface. Use the undo ip address ip-address { mask mask-length } command to remove the primary IP address. Use the undo ip address ip-address { mask mask-length } sub command to remove a secondary IP address. By default, no IP address is assigned to any interface. When assigning IP addresses to an interface, consider the following: You can assign only one primary IP address to an interface. The primary and secondary IP addresses can be located in the same network segment. Before removing the primary IP address, remove all secondary IP addresses. You cannot assign a secondary IP address to the interface that is configured to obtain one through BOOTP, or DHCP. Related commands: display ip interface. # Assign VLAN-interface 1 a primary IP address 129.12.0.1 and a secondary IP address 202.38.160.1, with subnet masks being 255.255.255.0. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address 129.12.0.1 255.255.255.0 [Sysname-Vlan-interface1] ip address 202.38.160.1 255.255.255.0 sub 1-5

Table of Contents 1 IP Performance Optimization Configuration Commands 1-1 IP Performance Optimization Configuration Commands 1-1 display fib 1-1 display fib ip-address 1-3 display icmp statistics 1-4 display ip socket 1-5 display ip statistics 1-8 display tcp statistics 1-9 display tcp status 1-12 display udp statistics 1-12 ip forward-broadcast (interface view) 1-14 ip forward-broadcast (system view) 1-14 ip redirects enable 1-15 ip ttl-expires enable 1-16 ip unreachables enable 1-16 reset ip statistics 1-17 reset tcp statistics 1-17 reset udp statistics 1-18 tcp anti-naptha enable 1-18 tcp state 1-19 tcp syn-cookie enable 1-20 tcp timer check-state 1-20 tcp timer fin-timeout 1-21 tcp timer syn-timeout 1-22 tcp window 1-22 i

1 IP Performance Optimization Configuration Commands IP Performance Optimization Configuration Commands display fib display fib [ { begin include exclude } regular-expression acl acl-number ip-prefix ip-prefix-name ] Any view 1: Monitor level : Uses a regular expression to match FIB entries. For detailed information about regular expression, refer to CLI display in Basic System Configuration in the System Volume. begin: Displays the first entry that matches the specified regular expression and all the FIB entries following it. exclude: Displays the FIB entries that do not match the specified regular expression. include: Displays the FIB entries that match the specified regular expression. regular-expression: A case-sensitive string of 1 to 256 characters, excluding spaces. acl acl-number: Displays FIB entries matching a specified ACL numbered from 2000 to 2999. If the specified ACL does not exist, all FIB entries are displayed. ip-prefix ip-prefix-name: Displays FIB entries matching a specified IP prefix list, a string of 1 to 19 characters. If the specified IP prefix list does not exist, all FIB entries are displayed. Currently, the S5810 series Ethernet switches do not support the ip-prefix keyword. That is, they do not display FIB entries matching a specified IP prefix list. Use the display fib command to display FIB entries. If no parameters are specified, all FIB entries will be displayed. 1-1

# Display all FIB entries. <Sysname> display fib Destination count: 4 FIB entry count: 4 Flag: U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static R:Relay Destination/Mask Nexthop Flag OutInterface InnerLabel Token 10.2.0.0/16 10.2.1.1 U M-GE1/0/0 Null Invalid 10.2.1.1/32 127.0.0.1 UH InLoop0 Null Invalid 127.0.0.0/8 127.0.0.1 U InLoop0 Null Invalid 127.0.0.1/32 127.0.0.1 UH InLoop0 Null Invalid # Display FIB information passing ACL 2000. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.2.0.0 0.0.255.255 [Sysname-acl-basic-2000] display fib acl 2000 Destination count: 2 FIB entry count: 2 Flag: U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static R:Relay Destination/Mask Nexthop Flag OutInterface InnerLabel Token 10.2.0.0/16 10.2.1.1 U M-GE1/0/0 Null Invalid 10.2.1.1/32 127.0.0.1 UH InLoop0 Null Invalid # Display all entries that contain the string 127 and start from the first one. <Sysname> display fib begin 127 Flag: U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static R:Relay Destination/Mask Nexthop Flag OutInterface InnerLabel Token 10.2.1.1/32 127.0.0.1 UH InLoop0 Null Invalid 127.0.0.0/8 127.0.0.1 U InLoop0 Null Invalid 127.0.0.1/32 127.0.0.1 UH InLoop0 Null Invalid Table 1-1 display fib command output description Field Destination count FIB entry count Destination/Mask Total number of destination addresses Total number of FIB entries Destination address/length of mask 1-2

Field Nexthop Flag OutInterface InnerLabel Token Address of next hop Flags of routes: U Usable route G Gateway route H Host route B Blackhole route D Dynamic route S Static route R Relay route Outbound interface Inner label LSP index number display fib ip-address display fib ip-address [ mask mask-length ] Any view 1: Monitor level ip-address: Destination IP address, in dotted decimal notation. mask: IP address mask. mask-length: Length of IP address mask. Use the display fib ip-address command to display FIB entries that match the specified destination IP address. If no mask or mask length is specified, the FIB entry that matches the destination IP address and has the longest mask will be displayed; if the mask is specified, the FIB entry that exactly matches the specified destination IP address will be displayed. # Display the FIB entries that match the destination IP address of 10.2.1.1. <Sysname> display fib 10.2.1.1 Destination count: 1 FIB entry count: 1 Flag: U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static 1-3

R:Relay Destination/Mask Nexthop Flag OutInterface InnerLabel Token 10.2.1.1/32 127.0.0.1 UH InLoop0 Null Invalid For description about the above output, refer to Table 1-1. display icmp statistics display icmp statistics Any view 1: Monitor level None Use the display icmp statistics command to display ICMP statistics. Related commands: display ip interface in IP Addressing Commands of the IP Services Volume; reset ip statistics. # Display ICMP statistics. <Sysname> display icmp statistics Input: bad formats 0 bad checksum 0 echo 5 destination unreachable 0 source quench 0 redirects 0 echo reply 10 parameter problem 0 timestamp 0 information request 0 mask requests 0 mask replies 0 time exceeded 0 Output:echo 10 destination unreachable 0 source quench 0 redirects 0 echo reply 5 parameter problem 0 timestamp 0 information reply 0 mask requests 0 mask replies 0 time exceeded 0 Table 1-2 display icmp statistics command output description Field bad formats bad checksum Number of input wrong format packets Number of input wrong checksum packets 1-4

Field echo destination unreachable source quench redirects echo reply parameter problem timestamp information request mask requests mask replies information reply time exceeded Number of input/output echo packets Number of input/output destination unreachable packets Number of input/output source quench packets Number of input/output redirection packets Number of input/output replies Number of input/output parameter problem packets Number of input/output time stamp packets Number of input information request packets Number of input/output mask requests Number of input/output mask replies Number of output information reply packets Number of input/output expiration packets display ip socket display ip socket [ socktype sock-type ] [ task-id socket-id ] Any view 1: Monitor level socktype sock-type: Displays the socket information of this type. The sock type is in the range 1 to 3, corresponding to TCP, UDP and raw IP respectively. task-id: Displays the socket information of this task. Task ID is in the range 1 to 150. socket-id: Displays the information of the socket. Socket ID is in the range 0 to 3072. Use the display ip socket command to display socket information. # Display the TCP socket information. <Sysname> display ip socket SOCK_STREAM: Task = VTYD(38), socketid = 1, Proto = 6, LA = 0.0.0.0:23, FA = 0.0.0.0:0, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = SO_ACCEPTCONN SO_KEEPALIVE SO_REUSEPORT SO_SENDVPNID(3073) SO_SETKEEPALIVE, 1-5

socket state = SS_PRIV SS_ASYNC Task = HTTP(36), socketid = 1, Proto = 6, LA = 0.0.0.0:80, FA = 0.0.0.0:0, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = SO_ACCEPTCONN SO_REUSEPORT, socket state = SS_PRIV SS_NBIO Task = ROUT(69), socketid = 10, Proto = 6, LA = 0.0.0.0:179, FA = 192.168.1.45:0, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = SO_ACCEPTCONN SO_REUSEADDR SO_REUSEPORT SO_SENDVPNID(0), socket state = SS_PRIV SS_ASYNC Task = VTYD(38), socketid = 4, Proto = 6, LA = 192.168.1.40:23, FA = 192.168.1.52:1917, sndbuf = 8192, rcvbuf = 8192, sb_cc = 237, rb_cc = 0, socket option = SO_KEEPALIVE SO_OOBINLINE SO_REUSEPORT SO_SENDVPNID(0) SO_SETKEEPALIVE, socket state = SS_ISCONNECTED SS_PRIV SS_ASYNC Task = VTYD(38), socketid = 3, Proto = 6, LA = 192.168.1.40:23, FA = 192.168.1.84:1503, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = SO_KEEPALIVE SO_OOBINLINE SO_REUSEPORT SO_SENDVPNID(0) SO_SETKEEPALIVE, socket state = SS_ISCONNECTED SS_PRIV SS_ASYNC Task = ROUT(69), socketid = 11, Proto = 6, LA = 192.168.1.40:1025, FA = 192.168.1.45:179, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = SO_REUSEADDR SO_LINGER SO_SENDVPNID(0), socket state = SS_ISCONNECTED SS_PRIV SS_ASYNC SOCK_DGRAM: Task = NTPT(37), socketid = 1, Proto = 17, LA = 0.0.0.0:123, FA = 0.0.0.0:0, sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0, socket option = SO_UDPCHECKSUM SO_SENDVPNID(3073), socket state = SS_PRIV Task = AGNT(51), socketid = 1, Proto = 17, LA = 0.0.0.0:161, FA = 0.0.0.0:0, sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0, socket option = SO_UDPCHECKSUM SO_SENDVPNID(3073), socket state = SS_PRIV SS_NBIO SS_ASYNC Task = RDSO(56), socketid = 1, Proto = 17, LA = 0.0.0.0:1024, FA = 0.0.0.0:0, 1-6

sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0, socket option = SO_UDPCHECKSUM, socket state = SS_PRIV Task = TRAP(52), socketid = 1, Proto = 17, LA = 0.0.0.0:1025, FA = 0.0.0.0:0, sndbuf = 9216, rcvbuf = 0, sb_cc = 0, rb_cc = 0, socket option = SO_UDPCHECKSUM, socket state = SS_PRIV Task = RDSO(56), socketid = 2, Proto = 17, LA = 0.0.0.0:1812, FA = 0.0.0.0:0, sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0, socket option = SO_UDPCHECKSUM, socket state = SS_PRIV SOCK_RAW: Task = ROUT(69), socketid = 8, Proto = 89, LA = 0.0.0.0, FA = 0.0.0.0, sndbuf = 262144, rcvbuf = 262144, sb_cc = 0, rb_cc = 0, socket option = SO_SENDVPNID(0) SO_RCVVPNID(0), socket state = SS_PRIV SS_ASYNC Task = ROUT(69), socketid = 3, Proto = 2, LA = 0.0.0.0, FA = 0.0.0.0, sndbuf = 32767, rcvbuf = 256000, sb_cc = 0, rb_cc = 0, socket option = SO_SENDVPNID(0) SO_RCVVPNID(0), socket state = SS_PRIV SS_NBIO SS_ASYNC Task = ROUT(69), socketid = 2, Proto = 103, LA = 0.0.0.0, FA = 0.0.0.0, sndbuf = 65536, rcvbuf = 256000, sb_cc = 0, rb_cc = 0, socket option = SO_SENDVPNID(0) SO_RCVVPNID(0), socket state = SS_PRIV SS_NBIO SS_ASYNC Task = ROUT(69), socketid = 1, Proto = 65, LA = 0.0.0.0, FA = 0.0.0.0, sndbuf = 32767, rcvbuf = 256000, sb_cc = 0, rb_cc = 0, socket option = 0, socket state = SS_PRIV SS_NBIO SS_ASYNC Task = RSVP(73), socketid = 1, Proto = 46, LA = 0.0.0.0, FA = 0.0.0.0, sndbuf = 4194304, rcvbuf = 4194304, sb_cc = 0, rb_cc = 0, socket option = 0, socket state = SS_PRIV SS_NBIO SS_ASYNC 1-7

Table 1-3 display ip socket command output description Field SOCK_STREAM SOCK_DGRAM SOCK_RAW Task socketid Proto LA FA sndbuf rcvbuf sb_cc rb_cc socket option socket state TCP socket UDP socket Raw IP socket Task number Socket ID Protocol number of the socket, indicating the protocol type that IP carries Local address and local port number Remote address and remote port number Sending buffer size of the socket, in bytes Receiving buffer size of the socket, in bytes Current data size in the sending buffer (It is available only for TCP that can buffer data) Data size currently in the receiving buffer Socket option Socket state display ip statistics display ip statistics Any view 1: Monitor level None Use the display ip statistics command to display statistics of IP packets. Related commands: display ip interface in IP Addressing Commands of the IP Services Volume; reset ip statistics. # Display statistics of IP packets. <Sysname> display ip statistics Input: sum 7120 local 112 bad protocol 0 bad format 0 1-8

bad checksum 0 bad options 0 Output: forwarding 0 local 27 dropped 0 no route 2 compress fails 0 Fragment:input 0 output 0 dropped 0 fragmented 0 couldn't fragment 0 Reassembling:sum 0 timeouts 0 Table 1-4 display ip statistics command output description Input: Output: Fragment: Reassembling Field sum local bad protocol bad format bad checksum bad options forwarding local dropped no route compress fails input output dropped fragmented couldn't fragment sum timeouts Total number of packets received Total number of packets with destination being local Total number of unknown protocol packets Total number of packets with incorrect format Total number of packets with incorrect checksum Total number of packets with incorrect option Total number of packets forwarded Total number of packets sent from the local Total number of packets discarded Total number of packets for which no route is available Total number of packets failed to be compressed Total number of fragments received Total number of fragments sent Total number of fragments dropped Total number of packets successfully fragmented Total number of packets that failed to be fragmented Total number of packets reassembled Total number of reassembly timeout fragments display tcp statistics display tcp statistics Any view 1: Monitor level 1-9

None Use the display tcp statistics command to display statistics of TCP traffic. Related commands: display tcp status, reset tcp statistics. # Display statistics of TCP traffic. <Sysname> display tcp statistics Received packets: Total: 8457 packets in sequence: 3660 (5272 bytes) window probe packets: 0, window update packets: 0 checksum error: 0, offset error: 0, short error: 0 duplicate packets: 1 (8 bytes), partially duplicate packets: 0 (0 bytes) out-of-order packets: 17 (0 bytes) packets of data after window: 0 (0 bytes) packets received after close: 0 ACK packets: 4625 (141989 bytes) duplicate ACK packets: 1702, too much ACK packets: 0 Sent packets: Total: 6726 urgent packets: 0 control packets: 21 (including 0 RST) window probe packets: 0, window update packets: 0 data packets: 6484 (141984 bytes) data packets retransmitted: 0 (0 bytes) ACK-only packets: 221 (177 delayed) Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0 Keepalive timeout: 1682, keepalive probe: 1682, Keepalive timeout, so connections disconnected : 0 Initiated connections: 0, accepted connections: 22, established connections: 22 Closed connections: 49 (dropped: 0, initiated dropped: 0) Packets dropped with MD5 authentication: 0 Packets permitted with MD5 authentication: 0 Table 1-5 display tcp statistics command output description Received packets: Total Field packets in sequence Total number of packets received Number of packets arriving in sequence 1-10

Sent packets: Field window probe packets window update packets checksum error offset error short error duplicate packets partially duplicate packets out-of-order packets packets of data after window packets received after close ACK packets duplicate ACK packets too much ACK packets Total urgent packets control packets window probe packets window update packets data packets data packets retransmitted ACK-only packets Number of window probe packets received Number of window update packets received Number of checksum error packets received Number of offset error packets received Number of received packets with length being too small Number of completely duplicate packets received Number of partially duplicate packets received Number of out-of-order packets received Number of packets outside the receiving window Number of packets that arrived after connection is closed Number of ACK packets received Number of duplicate ACK packets received Number of ACK packets for data unsent Total number of packets sent Number of urgent packets sent Number of control packets sent Number of window probe packets sent; in the brackets are resent packets Number of window update packets sent Number of data packets sent Number of data packets retransmitted Number of ACK packets sent; in brackets are delayed ACK packets Retransmitted timeout connections dropped in retransmitted timeout Keepalive timeout keepalive probe Keepalive timeout, so connections disconnected Initiated connections accepted connections established connections Closed connections Number of retransmission timer timeouts Number of connections broken due to retransmission timeouts Number of keepalive timer timeouts Number of keepalive probe packets sent Number of connections broken due to timeout of the keepalive timer Number of connections initiated Number of connections accepted Number of connections established Number of connections closed; in brackets are connections closed accidentally (before receiving SYN from the peer) and connections closed initiatively (after receiving SYN from the peer) 1-11

Field Packets dropped with MD5 authentication Packets permitted with MD5 authentication Number of packets dropped by MD5 authentication Number of packets permitted by MD5 authentication display tcp status display tcp status Any view 1: Monitor level None Use the display tcp status command to display status of all TCP connections for monitoring TCP connections. # Display status of all TCP connections. <Sysname> display tcp status *: TCP MD5 Connection TCPCB Local Add:port Foreign Add:port State 03e37dc4 0.0.0.0:4001 0.0.0.0:0 Listening 04217174 100.0.0.204:23 100.0.0.253:65508 Established Table 1-6 display tcp status command output description Field * TCPCB Local Add:port Foreign Add:port State If the status information of a TCP connection contains *, the TCP adopts the MD5 algorithm for authentication. TCP control block Local IP address and port number Remote IP address and port number State of the TCP connection display udp statistics display udp statistics 1-12

Any view 1: Monitor level None Use the display udp statistics command to display statistics of UDP packets. Related commands: reset udp statistics. # Display statistics of UDP packets. <Sysname> display udp statistics Received packets: Total: 0 checksum error: 0 shorter than header: 0, data length larger than packet: 0 unicast(no socket on port): 0 broadcast/multicast(no socket on port): 0 not delivered, input socket full: 0 input packets missing pcb cache: 0 Sent packets: Total: 0 Table 1-7 display udp statistics command output description Field Received packets: Sent packets: Total checksum error shorter than header data length larger than packet unicast(no socket on port) broadcast/multicast(no socket on port) not delivered, input socket full input packets missing pcb cache Total Total number of UDP packets received Total number of packets with incorrect checksum Number of packets with data shorter than head Number of packets with data longer than packet Number of unicast packets with no socket on port Number of broadcast/multicast packets without socket on port Number of packets not delivered to an upper layer due to a full socket cache Number of packets without matching protocol control block (PCB) cache Total number of UDP packets sent 1-13

ip forward-broadcast (interface view) ip forward-broadcast [ acl acl-number ] undo ip forward-broadcast Interface view acl acl-number: Access control list number, in the range 2000 to 3999. From 2000 to 2999 are numbers for basic ACLs, and from 3000 to 3999 are numbers for advanced ACLs. Only directed broadcasts permitted by the ACL can be forwarded. Use the ip forward-broadcast command to enable the interface to forward directed broadcasts to a directly-connected network. Use the undo ip forward-broadcast command to disable the interface from forwarding directed broadcasts to a directly-connected network. By default, an interface is disabled from forwarding directed broadcasts to a directly-connected network. # Enable VLAN-interface 2 to forward the directed broadcasts to a directly-connected network matching ACL 2001. [Sysname] interface vlan-interface 2 [Sysname-Vlan-interface2] ip forward-broadcast acl 2001 ip forward-broadcast (system view) ip forward-broadcast undo ip forward-broadcast System view None 1-14

Use the ip forward-broadcast command to enable the device to receive directed broadcasts. Use the undo ip forward-broadcast command to disable the device from receiving directed broadcasts. By default, the device is enabled from receiving directed broadcasts. Currently, this command is ineffective on the S5810 series Ethernet switches. That is, the switches cannot be disabled from receiving directed broadcasts. # Enable the device to receive directed broadcasts. [Sysname] ip forward-broadcast ip redirects enable ip redirects enable undo ip redirects System view None Use the ip redirects enable command to enable sending of ICMP redirection packets. Use the undo ip redirects command to disable sending of ICMP redirection packets. This feature is disabled by default. # Enable sending of ICMP redirect packets. [Sysname] ip redirects enable 1-15

ip ttl-expires enable ip ttl-expires enable undo ip ttl-expires System view None Use the ip ttl-expires enable command to enable sending of ICMP timeout packets. Use the undo ip ttl-expires command to disable sending of ICMP timeout packets. Sending ICMP timeout packets is disabled by default. If the feature is disabled, the device will not send TTL timeout ICMP packets, but still send reassembly timeout ICMP packets. # Enable sending of ICMP timeout packets. [Sysname] ip ttl-expires enable ip unreachables enable ip unreachables enable undo ip unreachables System view None Use the ip unreachables enable command to enable sending of ICMP destination unreachable packets. 1-16

Use the undo ip unreachables command to disable sending of ICMP destination unreachable packets. Sending ICMP destination unreachable packets is disabled by default. # Enable sending of ICMP destination unreachable packets. [Sysname] ip unreachables enable reset ip statistics reset ip statistics User view None Use the reset ip statistics command to clear statistics of IP packets. Related commands: display ip interface in IP Addressing Commands of the IP Services Volume; display ip statistics. # Clear statistics of IP packets. <Sysname> reset ip statistics reset tcp statistics reset tcp statistics User view None 1-17

Use the reset tcp statistics command to clear statistics of TCP traffic. Related commands: display tcp statistics. # Display statistics of TCP traffic. <Sysname> reset tcp statistics reset udp statistics reset udp statistics User view None Use the reset udp statistics command to clear statistics of UDP traffic. # Display statistics of UDP traffic. <Sysname> reset udp statistics tcp anti-naptha enable tcp anti-naptha enable undo tcp anti-naptha enable System view None Use the tcp anti-naptha enable command to enable the protection against Naptha attack. 1-18

Use the undo tcp anti-naptha enable command to disable the protection against Naptha attack. By default, the protection against Naptha attack is disabled. Note that the configurations made by using the tcp state and tcp timer check-state commands will be removed after the protection against Naptha attack is disabled. # Enable the protection against Naptha attack. [Sysname] tcp anti-naptha enable tcp state tcp state { closing established fin-wait-1 fin-wait-2 last-ack syn-received } connection-number number undo tcp state { closing established fin-wait-1 fin-wait-2 last-ack syn-received } connection-number System view closing: CLOSING state of a TCP connection. established: ESTABLISHED state of a TCP connection. fin-wait-1: FIN_WAIT_1 state of a TCP connection. fin-wait-2: FIN_WAIT_2 state of a TCP connection. last-ack: LAST_ACK state of a TCP connection. syn-received: SYN_RECEIVED state of a TCP connection. connected-number number: Maximum number of TCP connections in a certain state. The argument number is in the range of 0 to 500. Use the tcp state command to configure the maximum number of TCP connections in a state. When this number is exceeded, the aging of TCP connections in this state will be accelerated. Use the undo tcp state command to restore the default. By default, the maximum number of TCP connections in each state is 5. Note the following points: You need to enable the protection against Naptha attack before executing this command. Otherwise, an error will be prompted. You can respectively configure the maximum number of TCP connections in each state. 1-19

If the maximum number of TCP connections in a state is 0, the aging of TCP connections in this state will not be accelerated. Related commands: tcp anti-naptha enable. # Set the maximum number of TCP connections in the ESTABLISHED state to 100. [Sysname] tcp anti-naptha enable [Sysname] tcp state established connection-number 100 tcp syn-cookie enable tcp syn-cookie enable undo tcp syn-cookie enable System view None Use the tcp syn-cookie enable command to enable the SYN Cookie feature to protect the device against SYN Flood attacks. Use the undo tcp syn-cookie enable command to disable the SYN Cookie feature. By default, the SYN Cookie feature is disabled. # Enable the SYN Cookie feature. [Sysname] tcp syn-cookie enable tcp timer check-state tcp timer check-state time-value undo tcp timer check-state System view 1-20

time-value: TCP connection state check interval in seconds, in the range of 1 to 60. Use the tcp timer check-state command to configure the TCP connection state check interval. Use the undo tcp timer check-state command to restore the default. By default, the TCP connection state check interval is 30 seconds. The device periodically checks the number of TCP connections in each state. If it detects that the number of TCP connections in a state exceeds the maximum number, it will accelerate the aging of TCP connections in such a state. Note that you need to enable the protection against Naptha attack before executing this command. Otherwise, an error will be prompted. Related commands: tcp anti-naptha enable. Example # Set the TCP connection state check interval to 40 seconds. [Sysname] tcp anti-naptha enable [Sysname] tcp timer check-state 40 tcp timer fin-timeout tcp timer fin-timeout time-value undo tcp timer fin-timeout System view time-value: Length of the TCP finwait timer in seconds, in the range 76 to 3,600. Use the tcp timer fin-timeout command to configure the length of the TCP finwait timer. Use the undo tcp timer fin-timeout command to restore the default. By default, the length of the TCP finwait timer is 675 seconds. Note that the actual length of the finwait timer is determined by the following formula: 1-21

Actual length of the finwait timer = (Configured length of the finwait timer 75) + configured length of the synwait timer Related commands: tcp timer syn-timeout, tcp window. # Set the length of the TCP finwait timer to 800 seconds. [Sysname] tcp timer fin-timeout 800 tcp timer syn-timeout tcp timer syn-timeout time-value undo tcp timer syn-timeout System view time-value: TCP finwait timer in seconds, in the range 2 to 600. Use the tcp timer syn-timeout command to configure the length of the TCP synwait timer. Use the undo tcp timer syn-timeout command to restore the default. By default, the value of the TCP synwait timer is 75 seconds. Related commands: tcp timer fin-timeout, tcp window. # Set the length of the TCP synwait timer to 80 seconds. [Sysname] tcp timer syn-timeout 80 tcp window tcp window window-size undo tcp window System view 1-22

window-size: Size of the send/receive buffer in KB, in the range 1 to 32. Use the tcp window command to configure the size of the TCP send/receive buffer. Use the undo tcp window command to restore the default. The size of the TCP send/receive buffer is 8 KB by default. Related commands: tcp timer fin-timeout, tcp timer syn-timeout. # Configure the size of the TCP send/receive buffer as 3 KB. [Sysname] tcp window 3 1-23

Table of Contents 1 ARP Configuration Commands 1-1 ARP Configuration Commands 1-1 arp check enable 1-1 arp max-learning-num 1-1 arp static 1-2 arp timer aging 1-3 display arp 1-4 display arp ip-address 1-5 display arp timer aging 1-6 reset arp 1-6 Gratuitous ARP Configuration Commands 1-7 gratuitous-arp-sending enable 1-7 gratuitous-arp-learning enable 1-7 2 ARP Attack Defense Configuration Commands 2-1 ARP Source Suppression Configuration Commands 2-1 arp source-suppression enable 2-1 arp source-suppression limit 2-1 display arp source-suppression 2-2 ARP Active Acknowledgement Configuration Commands 2-3 arp anti-attack active-ack enable 2-3 Source MAC Address Based ARP Attack Detection Configuration Commands 2-4 arp anti-attack source-mac 2-4 arp anti-attack source-mac aging-time 2-4 arp anti-attack source-mac exclude-mac 2-5 arp anti-attack source-mac threshold 2-6 display arp anti-attack source-mac 2-6 ARP Packet Source MAC Address Consistency Check Configuration Commands 2-7 arp anti-attack valid-ack enable 2-7 ARP Packet Rate Limit Configuration Commands 2-8 arp rate-limit 2-8 ARP Detection Configuration Commands 2-8 arp detection enable 2-8 arp detection mode 2-9 arp detection static-bind 2-10 arp detection trust 2-10 arp detection validate 2-11 display arp detection 2-12 display arp detection statistics 2-12 reset arp detection statistics 2-13 i

1 ARP Configuration Commands ARP Configuration Commands arp check enable arp check enable undo arp check enable System view None Use the arp check enable command to enable ARP entry check. With this function enabled, the device cannot learn any ARP entry with a multicast MAC address. Configuring such a static ARP entry is not allowed either; otherwise, the system displays error messages. Use the undo arp check enable command to disable the function. After the ARP entry check is disabled, the device can learn the ARP entry with a multicast MAC address, and you can also configure such a static ARP entry on the device. By default, ARP entry check is enabled. # Enable ARP entry check. [Sysname] arp check enable arp max-learning-num arp max-learning-num number undo arp max-learning-num Ethernet interface view, VLAN interface view, Layer-2 aggregate interface view 1-1

number: Maximum number of dynamic ARP entries that an interface can learn. in the range 0 to 1024 Use the arp max-learning-num command to configure the maximum number of dynamic ARP entries that an interface can learn. Use the undo arp max-learning-num command to restore the default. By default, the maximum number of dynamic ARP entries that a interface can learn is 1024. # Specify VLAN-interface 40 to learn up to 500 dynamic ARP entries. [Sysname] interface vlan-interface 40 [Sysname-Vlan-interface40] arp max-learning-num 500 # Specify GigabitEthernet 1/0/1 to learn up to 1000 dynamic ARP entries. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] arp max-learning-num 1000 # Specifiy Layer-2 aggregate interface Bridge-aggregation 1 to learn up to 1000 dynamic ARP entries. [Sysname] interface bridge-aggregation 1 [Sysname-Bridge-Aggregation1] arp max-learning-num 1000 arp static arp static ip-address mac-address [ vlan-id interface-type interface-number ] undo arp ip-address System view ip-address: IP address in an ARP entry. mac-address: MAC address in an ARP entry, in the format H-H-H. vlan-id: ID of a VLAN to which a static ARP entry belongs to, in the range 1 to 4094. interface-type interface-number: Interface type and interface number. 1-2

Use the arp static command to configure a static ARP entry in the ARP mapping table. Use the undo arp command to remove an ARP entry. Note that: A static ARP entry is effective when the device works normally. However, when the VLAN or VLAN interface to which an ARP entry corresponds is deleted, the entry, if permanent, will be deleted, and if non-permanent and resolved, will become unresolved. The vlan-id argument is used to specify the corresponding VLAN of an ARP entry and must be the ID of an existing VLAN. In addition, the Ethernet interface following the argument must belong to that VLAN. The VLAN interface of the VLAN must have been created. If both the vlan-id and ip-address arguments are specified, the IP address of the VLAN interface corresponding to the vlan-id argument must belong to the same network segment as the IP address specified by the ip-addres argument. Related commands: reset arp, display arp. # Configure a static ARP entry, with the IP address being 202.38.10.2, the MAC address being 00e0-fc01-0000, and the outbound interface being GigabitEthernet1/0/1 of VLAN 10. [Sysname] arp static 202.38.10.2 00e0-fc01-0000 10 GigabitEthernet 1/0/1 arp timer aging arp timer aging aging-time undo arp timer aging System view aging-time: Aging time for dynamic ARP entries in minutes, in the range 1 to 1,440. Use the arp timer aging command to set aging time for dynamic ARP entries. Use the undo arp timer aging command to restore the default. By default, the aging time for dynamic ARP entries is 20 minutes. Related commands: display arp timer aging. # Set aging time for dynamic ARP entries to 10 minutes. 1-3

[Sysname] arp timer aging 10 display arp display arp [ [ all dynamic static ] vlan vlan-id interface interface-type interface-number ] [ [ { begin exclude include } regular-expression ] count ] Any view 1: Monitor level all: Displays all ARP entries. dynamic: Displays dynamic ARP entries. static: Displays static ARP entries. vlan vlan-id: Displays the ARP entries of the specified VLAN. The VLAN ID ranges from 1 to 4,094. interface interface-type interface-number: Displays the ARP entries of the interface specified by the argument interface-type interface-number. : Uses a regular expression to specify the ARP entries to be displayed. For detailed information about regular expressions, refer to Basic System Configuration in the System Volume. begin: Displays ARP entries from the first one containing the specified string. exclude: Displays the ARP entries that do not contain the specified string. include: Displays the ARP entries containing the specified string. regular-expression: A case-sensitive string for matching, consisting of 1 to 256 characters. count: Displays the number of ARP entries. Use the display arp command to display ARP entries in the ARP mapping table. If no parameter is specified, all ARP entries are displayed. Related commands: arp static, reset arp. # Display the detailed information of all ARP entries. <Sysname> display arp all Type: S-Static D-Dynamic IP Address MAC Address VLAN ID Interface Aging Type 1.1.1.1 0001-0001-0001 1 GE1/0/2 N/A S 192.168.1.1 00e0-fc01-0000 1 GE1/0/1 N/A S 1-4

Table 1-1 display arp command output description Field IP Address MAC Address VLAN ID Interface Aging Type IP address in an ARP entry MAC address in an ARP entry VLAN ID contained a static ARP entry Outbound interface in an ARP entry Aging time for a dynamic ARP entry in minutes ( N/A means unknown aging time or no aging time) ARP entry type: D for dynamic, S for static # Display the number of all ARP entries. <Sysname> display arp all count Total Entry(ies): 2 display arp ip-address display arp ip-address [ { begin exclude include } regular-expression ] Any view 1: Monitor level ip-address: Displays the ARP entry for the specified IP address. : Uses a regular expression to specify the ARP entries to be displayed. For detailed information about regular expressions, refer to Basic System Configuration in the System Volume. begin: Displays the ARP entries from the first one containing the specified string. exclude: Displays the ARP entries that do not contain the specified string. include: Displays the ARP entries that contain the specified string. regular-expression: A case-sensitive string for matching, consisting of 1 to 256 characters. Use the display arp ip-address command to display the ARP entry for a specified IP address. Related commands: arp static, reset arp. # Display the corresponding ARP entry for the IP address 20.1.1.1. <Sysname> display arp 20.1.1.1 Type: S-Static D-Dynamic IP Address MAC Address VLAN ID Interface Aging Type 1-5

20.1.1.1 00e0-fc00-0001 N/A GE1/0/2 N/A S display arp timer aging display arp timer aging Any view None Use the display arp timer aging command to display the aging time for dynamic ARP entries. Related commands: arp timer aging. # Display the aging time for dynamic ARP entries. <Sysname> display arp timer aging Current ARP aging time is 10 minute(s) reset arp reset arp { all dynamic static interface interface-type interface-number } User view all: Clears all ARP entries except authorized ARP entries. dynamic: Clears all dynamic ARP entries. static: Clears all static ARP entries. interface interface-type interface-number: Clears the ARP entries for the interface specified by the argument interface-type interface-number. Use the reset arp command to clear ARP entries except authorized ARP entries from the ARP mapping table. 1-6

With interface interface-type interface-number specified, the command clears only dynamic ARP entries of the interface. Related commands: arp static, display arp. # Clear all static ARP entries. <Sysname> reset arp static Gratuitous ARP Configuration Commands gratuitous-arp-sending enable gratuitous-arp-sending enable undo gratuitous-arp-sending enable System view None Use the gratuitous-arp-sending enable command to enable a device to send gratuitous ARP packets when receiving ARP requests from another network segment. Use the undo gratuitous-arp-sending enable command to restore the default. By default, a device cannot send gratuitous ARP packets when receiving ARP requests from another network segment. # Disable a device from sending gratuitous ARP packets. [Sysname] undo gratuitous-arp-sending enable gratuitous-arp-learning enable gratuitous-arp-learning enable undo gratuitous-arp-learning enable System view 1-7

None Use the gratuitous-arp-learning enable command to enable the gratuitous ARP packet learning function. Use the undo gratuitous-arp-learning enable command to disable the function. By default, the function is enabled. With this function enabled, a device receiving a gratuitous ARP packet can add the source IP and MAC addresses carried in the packet to its own dynamic ARP table if it finds no ARP entry in the cache corresponding to the source IP address of the ARP packet exists; if the corresponding ARP entry exists in the cache, the device updates the ARP entry regardless of whether this function is enabled. # Enable the gratuitous ARP packet learning function. [Sysname] gratuitous-arp-learning enable 1-8

2 ARP Attack Defense Configuration Commands ARP Source Suppression Configuration Commands arp source-suppression enable arp source-suppression enable undo arp source-suppression enable System view None Use the arp source-suppression enable command to enable the ARP source suppression function. Use the undo arp source-suppression enable command to disable the function. By default, the ARP source suppression function is disabled. Related commands: display arp source-suppression. # Enable the ARP source suppression function. [Sysname] arp source-suppression enable arp source-suppression limit arp source-suppression limit limit-value undo arp source-suppression limit System view 2-1

limit-value: Specifies the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in five seconds. It ranges from 2 to 1024. Use the arp source-suppression limit command to set the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in five seconds. Use the undo arp source-suppression limit command to restore the default value, which is 10. With this feature configured, whenever the number of packets with unresolvable destination IP addresses from a host within five seconds exceeds the specified threshold, the device suppress the sending host from triggering any ARP requests within the following five seconds. Related commands: display arp source-suppression. # Set the maximum number of packets with the same source address but unresolvable destination IP addresses that the device can receive in five seconds to 100. [Sysname] arp source-suppression limit 100 display arp source-suppression display arp source-suppression Any view None Use the display arp source-suppression command to display information about the current ARP source suppression configuration. # Display information about the current ARP source suppression configuration. <Sysname> display arp source-suppression ARP source suppression is enabled Current suppression limit: 100 Current cache length: 16 2-2

Table 2-1 display arp source-suppression command output description Field ARP source suppression is enabled Current suppression limit Current cache length The ARP source suppression function is enabled Maximum number of packets with the same source IP address but unresolvable IP addresses that the device can receive in five seconds Size of cache used to record source suppression information ARP Active Acknowledgement Configuration Commands arp anti-attack active-ack enable arp anti-attack active-ack enable undo arp anti-attack active-ack enable System view None Use the arp anti-attack active-ack enable command to enable the ARP active acknowledgement function. Use the undo arp anti-attack active-ack enable command to restore the default. By default, the ARP active acknowledgement function is disabled. Typically, this feature is configured on gateway devices to identify invalid ARP packets. # Enable the ARP active acknowledgement function. [Sysname] arp anti-attack active-ack enable 2-3

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback