arp spoof-check


[ no ] arp spoof-check

Release Information

Command introduced in JunosE Release 9.3.0.


Configures the router to check for spoofed ARP packets received on an IP interface. By default, the router checks all ARP packets received on a major IP interface or a subinterface to identify and discard spoofed ARP packets. The no version disables checking for spoofed ARP packets received on the interface.

By default, E Series routers check all received ARP packets to identify spoofed ARP packets and process only those ARP packets whose source IP address is outside the range of the network mask. ARP packets with a source IP address of and the router IP address as the destination address are dropped because the router identifies them as spoofed packets.

In networks with DSLAMs, even if you configure the router to check for spoofed ARP packets, DSLAMs perform the spoof-checking task instead of the router. If you disable checking for spoofed ARP packets on the router in such networks, DSLAMs forward the received packets to the router for processing. You can, therefore, configure the router accordingly, depending on the way in which you want spoof-checking to be performed.

Note: You cannot configure ARP spoof-checking on interfaces that do not support ARP, such as loopback interfaces and ATM point-to-point PVCs.


Interface Configuration

Related Documentation