Commands For Arp Scanning Prevention

6.2 Commands for ARP Scanning Prevention

6.2.1 anti-arpscan enable

Command: anti-arpscan enable
no anti-arpscan enable
Function: Globally enable the ARP scanning prevention function. The no command globally disables the ARP scanning prevention function.
Parameters: None.
Command mode: Global Configuration Mode
Default: Disabled.
Usage guide: When remotely managing a switch with a method like telnet, users should set the uplink port as a Super Trust port before enabling the anti-ARP-scan function. This will prevent the port from being shutdown due to receiving too many ARP messages. After the anti-ARP-scan function is disabled, this port will reset to its default attribute which is Untrust port.
Example: Enable ARP scanning prevention on the switch.

active500EM(config)#anti-arpscan enable

 

6.2.2 anti-arpscan port-based threshold

Command: anti-arpscan port-based threshold <threshold-value>
no anti-arpscan port-based threshold
Function: Set the port-based ARP scanning prevention received message threshold. If the rate of received ARP messages exceeds the threshold, the port will be closed. The unit is packet/second. The no command will reset the default value to 10 packets per second.
Parameters:

  • <threshold-value>: rate threshold. The valid range is from 2 to 200.

Command mode: Global Configuration Mode
Default: 10 packets per second.
Usage guide: The port-based ARP scanning prevention threshold should be larger than the IP-based ARP scanning prevention threshold or the IP-based ARP scanning prevention will fail.
Example: Set the port-based ARP scanning prevention threshold to 10 packets per second.

active500EM(config)#anti-arpscan port-based threshold 10

 

6.2.3 anti-arpscan ip-based threshold

Command: anti-arpscan ip-based threshold <threshold-value>
no anti-arpscan ip-based threshold
Function: Set the IP-based ARP scanning prevention received message threshold. If the rate of received ARP messages exceeds the threshold, the IP messages from this IP will be blocked. The unit is packets per second. The no command will reset the default value to 3 packets per second.
Parameters:

  • <threshold-value>: Rate threshold. The valid range is from 1 to 200.

Command mode: Global configuration mode
Default: 3 packets per second.
Usage guide: The IP-based ARP scanning prevention received message threshold should be larger than the IP-based ARP scanning prevention threshold or the IP-based ARP scanning prevention will fail.
Example: Set the IP-based ARP scanning prevention threshold to 6 packets per second.

active500EM(config)#anti-arpscan ip-based threshold 6

 

6.2.4 anti-arpscan trust

Command: anti-arpscan trust [port | supertrust-port] no anti-arpscan trust [port | supertrust-port] Function: Configure a port as a trusted port or a super trusted port. The no command will reset the port to an untrusted port.
Parameters: None.
Command mode: Port Configuration Mode
Default: All the ports are non-trusted.
Usage guide: If a port is configured as a trusted port, then the ARP scanning prevention function will not handle the port. If the received ARP message rate exceeds the set threshold, this port will not be closed. The non- trusted IP of this port will still be checked. If a port is set as a super non-trusted port, then neither the port nor the IP of the port will be handled. If the port is already closed by ARP scanning prevention, it will be opened after being set as a trusted port. When remotely managing a switch with a method like telnet, users should set the uplink port as a super trust port before enabling the anti-ARP-scan function. This prevents the port from being shutdown due to receiving too many ARP messages. After the anti-ARP-scan function is disabled, this port will be reset to its default attribute, an untrusted port.
Example: Set port ethernet 1/0/5 of the switch as a trusted port.

active500EM(config)#interface Ethernet 1/0/5
active500EM(config-if-ethernet1/0/5)#anti-arpscan trust port

 

6.2.5 anti-arpscan trust ip

Command: anti-arpscan trust ip <ip-address> [<netmask>] no anti-arpscan trust ip <ip-address> [<netmask>] Function: Configure the trusted IP. The no command resets the IP to a non-trusted IP.
Parameters:

  • <ip-address>: configure the trusted IP address.
  • <netmask>: net mask of the IP.

Command mode: Global Configuration Mode
Default: All IP are non-trusted. The default mask is 255.255.255.255.
Usage guide: If a port is configured as a trusted port, then ARP scanning prevention will not handle this port. If the received ARP message rate exceeds the set threshold, this port will not be closed. If the port is already closed by ARP scanning prevention, the traffic will be recovered immediately.
Example: Set 192.168.1.0/24 as a trusted IP.

active500EM(config)#anti-arpscan trust ip 192.168.1.0 255.255.255.0

 

6.2.6 anti-arpscan recovery enable

Command: anti-arpscan recovery enable
no anti-arpscan recovery enable
Function: Enable automatic recovery. The no command disables the function.
Parameters: None
Command mode: Global Configuration Mode
Default: Enabled.
Usage guide: Recovers the normal state after the port is closed or the IP is disabled.
Example: Enable automatic recovery of the switch.

active500EM(config)#anti-arpscan recovery enable

 

6.2.7 anti-arpscan recovery time

Command: anti-arpscan recovery time <seconds>
no anti-arpscan recovery time
Function: Configure automatic recovery time. The no command resets the automatic recovery time to the default value.
Parameters:

  • <seconds>: automatic recovery time. The valid value is in seconds with a range from 5 to 86400.

Command mode: Global Configuration Mode
Default: 300 seconds.
Usage guide: The automatic recovery function should be enabled before executing this command.
Example: Set the automatic recovery time to 3600 seconds.

active500EM(config)#anti-arpscan recovery time 3600

 

6.2.8 anti-arpscan log enable

Command: anti-arpscan log enable
no anti-arpscan log enable
Function: Enable the ARP scanning prevention log function. The no command disables this function.
Parameters: None.
Command mode: Global configuration mode
Default: Enable the ARP scanning prevention log function.
Usage guide: After enabling the ARP scanning prevention log function, users can check the port detailed information for the ports that are closed or automatically recovered by ARP scanning prevention or IP being disabled and recovered by ARP scanning prevention. The level of the log is ?Warning?.
Example: Enable the ARP scanning prevention log function on the switch.

active500EM(config)#anti-arpscan log enable

 

6.2.9 anti-arpscan trap enable

Command: anti-arpscan trap enable
no anti-arpscan trap enable
Function: Enable the ARP scanning prevention SNMP Trap function. The no command disables the ARP scanning prevention SNMP Trap function.
Parameters: None.
Command mode: Global Configuration Mode
Default: Disable the ARP scanning prevention SNMP Trap function.
Usage guide: After enabling the ARP scanning prevention SNMP Trap function, users will receive Trap message whenever a port or IP is closed or recovered by ARP scanning prevention.
Example: Enable the ARP scanning prevention SNMP Trap function on the switch.

active500EM(config)#anti-arpscan trap enable

 

6.2.10 show anti-arpscan

Command: show anti-arpscan [trust [ip | port | supertrust-port] |prohibited [ip | port]] Function: Display the ARP scanning prevention function information.
Parameters: None.
Command mode: Admin Mode
Default: Display every port to show if it is a trusted port and whether it is closed. If the port is closed, then display how long it has been closed. Display all trusted and disabled IPs.
Usage guide: Use ?show anti-arpscan trust port? to check trusted ports.
Example: Check the state of the ARP scanning prevention function after enabling it.

active500EM(config)#show anti-arpscan
Total port: 28
Name        Port-property  beShut shutTime(seconds)
Ethernet1/0/1    untrust     N    0
Ethernet1/0/2    untrust     N    0
Ethernet1/0/3    untrust     N    0
Ethernet1/0/4    untrust     N    0
Ethernet1/0/5    untrust     N    0
Ethernet1/0/6    untrust     N    0
Ethernet1/0/7    untrust     N    0
Ethernet1/0/8    untrust     N    0
Ethernet1/0/9    untrust     N    0
Ethernet1/0/10   untrust     N    0
Ethernet1/0/11   untrust     N    0
Ethernet1/0/12   untrust     N    0
Ethernet1/0/13   untrust     N    0
Ethernet1/0/14   untrust     N    0
Ethernet1/0/15   untrust     N    0
Ethernet1/0/16   trust       N    0
Ethernet1/0/17   untrust     N    0
Ethernet1/0/18   supertrust  N    0
Ethernet1/0/19   untrust     Y    30
Ethernet1/0/20   trust       N    0
Ethernet1/0/21   untrust     N    0
Ethernet1/0/22   untrust     N    0
Ethernet1/0/23   untrust     N    0
Ethernet1/0/24   untrust     N    0
Ethernet1/0/25   untrust     N    0
Ethernet1/0/26   untrust     N    0
Ethernet1/0/27   untrust     N    0
Ethernet1/0/28   untrust     N    0
Prohibited IP:
IP        shutTime(seconds)
1.1.1.2    132
Trust IP:
192.168.99.5   255.255.255.255
192.168.99.6   255.255.255.255

 

6.2.11 debug anti-arpscan

Command: debug anti-arpscan [port | ip] no debug anti-arpscan [port | ip] Function: Enable ARP scanning prevention debug. The no command disables the debugging.
Parameters: None.
Command mode: Admin Mode
Default: Disabled.
Usage guide: After enabling ARP scanning prevention debug, users can check corresponding debug information. Users can also enable the port-based or IP-based debug switch separately whenever a port is closed by ARP scanning prevention, recovered automatically, or whenever an IP is closed or recovered.
Example: Enable the ARP scanning prevention debug on the switch.

active500EM(config)#debug anti-arpscan

 


Return to Controller Wired CLI Table of Contents