Login
- Table of Contents
-
- H3C S3610[5510] Series Ethernet Switches Operation Manual-Release 0001-(V1.02)
- 00-1Cover
- 00-2Product Overview
- 01-Login Operation
- 02-VLAN Operation
- 03-IP Address and Performance Operation
- 04-QinQ-BPDU Tunnel Operation
- 05-Port Correlation Configuration Operation
- 06-MAC Address Table Management Operation
- 07-MAC-IP-Port Binding Operation
- 08-MSTP Operation
- 09-Routing Overview Operation
- 10-IPv4 Routing Operation
- 11-IPv6 Routing Operation
- 12-IPv6 Configuration Operation
- 13-Multicast Protocol Operation
- 14-802.1x-HABP-MAC Authentication Operation
- 15-AAA-RADIUS-HWTACACS Operation
- 16-ARP Operation
- 17-DHCP Operation
- 18-ACL Operation
- 19-QoS Operation
- 20-Port Mirroring Operation
- 21-Cluster Management Operation
- 22-UDP Helper Operation
- 23-SNMP-RMON Operation
- 24-NTP Operation
- 25-DNS Operation
- 26-File System Management Operation
- 27-Information Center Operation
- 28-System Maintenance and Debugging Operation
- 29-NQA Operation
- 30-VRRP Operation
- 31-SSH Operation
- 32-Appendix
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 16-ARP Operation | 662 KB |
Table of Contents
1.2.1 Configuring a Static ARP Entry
1.2.2 Configuring the Maximum Number of ARP Entries for a VLAN Interface
1.2.3 Setting Aging Time for Dynamic ARP Entries
1.2.4 Enabling ARP Entry Check
1.3 Configuring Gratuitous ARP
1.3.1 Introduction to Gratuitous ARP
1.3.2 Configuring Gratuitous ARP
1.4 Configuring ARP Source Suppression
1.4.1 Introduction to ARP Source Suppression
1.4.2 Configuring ARP Source Suppression
1.5 Displaying and Maintaining ARP
1.6.1 ARP Basic Configuration Example
1.6.2 ARP Source Suppression Configuration Example
Chapter 2 Proxy ARP Configuration
2.4 Proxy ARP Configuration Example
2.4.1 Proxy ARP Configuration Example
2.4.2 Local Proxy ARP Configuration Example in Case of Port Isolation
2.4.3 Local Proxy ARP Configuration Example in Isolate-user-vlan
Chapter 1 ARP Configuration
1.1 ARP Overview
1.1.1 ARP Function
Address resolution protocol (ARP) is used to resolve an IP address into a MAC address.
An IP address is the address of a host at the network layer. To send a network layer packet to a destination host, the device must know the MAC address of the destination host. To this end, the IP address must be resolved into the corresponding MAC address.
1.1.2 ARP Message Format
The following explains the fields in Figure 1-1.
l Hardware type: This field specifies the type of a hardware address. The value “1” represents an Ethernet address.
l Protocol type: This field specifies the type of the protocol address to be mapped. The hexadecimal value “0x0800” represents an IP address.
l Hardware address length and protocol address length: They respectively specify the length of a hardware address and a protocol address, in bytes. For an Ethernet address, the value of the hardware address length field is "6”. For an IP(v4) address, the value of the protocol address field is “4”.
l OP: Operation code. This field specifies the type of ARP message. The value “1” represents an ARP request and “2” represents an ARP reply.
l Sender hardware address: This field specifies the hardware (MAC) address of the device sending the message.
l Sender protocol address: This field specifies the IP address of the device sending the message.
l Target hardware address: This field specifies the hardware address of the device the message is being sent to.
l Target protocol address: This field specifies the IP address of the device the message is being sent to.
1.1.3 ARP Process
Figure 1-2 ARP process
Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B. The resolution process is as follows:
1) Host A looks in its ARP mapping table to see whether there is an ARP entry for Host B. If Host A finds it, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.
2) If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request, in which the source IP address and source MAC address are respectively the IP address and MAC address of Host A and the destination IP address and MAC address are respectively the IP address of Host B and an all-zero MAC address. Because the ARP request is sent in broadcast mode, all hosts on this subnet can receive the request, but only the requested host (namely, host B) will process the request.
3) Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.
4) After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP mapping table for subsequent packet forwarding. Meanwhile, Host A encapsulates the IP packet and sends it out.
& Note:
When Host A and Host B are not on the same subnet, Host A first sends an ARP request to the gateway. The destination IP address in the ARP request is the IP address of the gateway. After obtaining the MAC address of the gateway from an ARP reply, Host A encapsulates the packet and sends it to the gateway. Subsequently, the gateway broadcasts the ARP request, in which the destination IP address is the one of Host B. After obtaining the MAC address of Host B from another ARP reply, the gateway sends the packet to Host B.
1.1.4 ARP Mapping Table
After obtaining the MAC address of a destination host through ARP, the device adds the IP-to-MAC mapping of the destination host into its own ARP mapping table, which will be used for forwarding packets to the same destination.
An ARP mapping table contains ARP entries, which fall into two categories: dynamic and static.
1) A dynamic entry is automatically created and maintained by ARP. It can get aged, be updated by a new ARP packet, or be overwritten by a static ARP entry. When the aging timer expires or the interface goes down, the corresponding dynamic ARP entry will be removed.
2) A static ARP entry is manually configured and maintained. It cannot get aged or be overwritten by a dynamic ARP entry. It can be long or short.
l A long static ARP entry can be directly used to forward data. When configuring a long static ARP entry, you must configure a VLAN and outbound port for the entry besides the IP address and MAC address.
l A short static ARP entry cannot be directly used for forwarding data. When configuring a short static ARP entry, you only need to configure the IP address and MAC address. When forwarding IP packets, the device broadcast an ARP request. If the source IP and MAC addresses in the received ARP reply are the same as the configured IP and MAC addresses, the device adds the port that receives the ARP reply and the VLAN where the port resides into the static ARP entry. Now the entry can be used for forwarding IP packets.
& Note:
Usually ARP dynamically implements and automatically seeks mappings from IP addresses to MAC addresses, without manual intervention.
1.2 Configuring ARP
1.2.1 Configuring a Static ARP Entry
Follow these steps to configure a static ARP entry:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure a long static ARP entry |
arp static ip-address mac-address vlan-id interface-type interface-number |
Required No long static ARP entry is configured by default. |
|
Configure a short static ARP entry |
arp static ip-address mac-address |
Required No short static ARP entry is configured by default. |
Caution:
l A static ARP mapping is valid as long as the device works normally. However, when a VLAN or VLAN interface is deleted, the corresponding ARP entries will be deleted accordingly.
l The vlan-id argument that you specify for the ARP entry must be the ID of an existing VLAN with VLAN interface already configured, and the Ethernet port following the argument must belong to the VLAN.
1.2.2 Configuring the Maximum Number of ARP Entries for a VLAN Interface
Follow these steps to set the maximum number of dynamic ARP entries that an interface can learn:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter VLAN interface view |
interface Vlan-interface vlan-id |
— |
|
Set the maximum number of dynamic ARP entries that a VLAN interface can learn |
arp max-learning-num number |
Optional 2560 by default |
1.2.3 Setting Aging Time for Dynamic ARP Entries
After dynamic ARP entries expire, the system will delete them from the ARP mapping table. You can adjust the aging time for dynamic ARP entries according to the actual network condition.
Follow these steps to set aging time for dynamic ARP entries:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set aging time for dynamic ARP entries |
arp timer aging aging-time |
Optional 20 minutes by default |
1.2.4 Enabling ARP Entry Check
The ARP entry check function is used to control the device in learning multicast MAC addresses. By default, this function is enabled on your S3610&S5510 series Ethernet switch and so your switch does not create ARP entries for multicast MAC addresses. With ARP entry check disabled, the switches create ARP entries for multicast MAC addresses.
Follow these steps to enable the ARP entry check:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the ARP entry check |
arp check enable |
Optional Enabled by default. That is, the device does not learn multicast MAC addresses. |
1.3 Configuring Gratuitous ARP
1.3.1 Introduction to Gratuitous ARP
A gratuitous ARP packet is a special ARP packet, in which the source IP address and destination IP address are both the IP address of the sender, the source MAC address is the MAC address of the sender, and the destination MAC address is a broadcast address.
A device can implement the following functions by sending gratuitous ARP packets:
l Determining whether its IP address is already used by another device.
l Informing other devices of its MAC address change so that they can update their ARP entries.
A device receiving a gratuitous ARP packet can add the information carried in the packet to its own dynamic ARP mapping table if it finds no corresponding ARP entry for the ARP packet in the cache.
1.3.2 Configuring Gratuitous ARP
Follow these steps to configure gratuitous ARP:
|
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
Enable the device to send gratuitous ARP packets |
gratuitous-arp-sending enable |
Optional A device cannot send gratuitous ARP packets by default. |
|
Enable the gratuitous ARP packet learning function |
gratuitous-arp-learning enable |
Required Disabled by default. |
1.4 Configuring ARP Source Suppression
1.4.1 Introduction to ARP Source Suppression
A malicious user may take advantage of the Layer 3 forwarding mechanism of the switch to send large amounts of packets with unreachable destination IP addresses, causing the following adverse impacts:
l The switch searches for route entries frequently. This increases CPU load.
l The switch sends a large number of ARP request packets destined for the destination network segment. This consumes a lot of network resources.
ARP source suppression is designed for S3610&S5510 series Ethernet switches to prevent such attacks. For a switch with ARP source suppression enabled, if a host on the network continuously sends packets with unreachable IP addresses to a port on the switch and the number of such packets exceeds the configured threshold within five seconds, the device discards incoming packets with the same source IP address on the port and forwards the packets from the source five seconds later. This guards the switch against malicious attacks.
1.4.2 Configuring ARP Source Suppression
Follow these steps to configure ARP source suppression:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable ARP source suppression |
arp source-suppression enable |
Required Disabled by default |
|
Set the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in five seconds |
arp source-suppression limit limit-value |
Optional 10 by default |
1.5 Displaying and Maintaining ARP
|
To do… |
Use the command… |
Remarks |
|
Display the ARP entries in the ARP mapping table |
display arp { { all | dynamic | static } | vlan vlan-id | interface interface-type interface-number } [ [ | { begin | exclude | include } text ] | count ] |
Available in any view |
|
Display the ARP entries for a specified IP address |
display arp ip-address [ | { begin | exclude | include } text ] |
Available in any view |
|
Display the aging time for dynamic ARP entries |
display arp timer aging |
Available in any view |
|
Display the configuration information of ARP source suppression |
display arp source-suppression |
Available in any view |
|
Clear ARP entries from the ARP mapping table |
reset arp { all | dynamic | static | interface interface-type interface-number } |
Available in user view |
1.6 ARP Configuration Example
1.6.1 ARP Basic Configuration Example
I. Network requirement
l Enable the ARP entry check.
l Set the aging time for dynamic ARP entries to 10 minutes.
l Set the maximum number of dynamic ARP entries that Vlan-interface10 can learn to 1,000.
l Add a static ARP entry, with the IP address being 192.168.1.1, the MAC address being 000f-e201-0000, and the outbound port being Ethernet1/0/2 of VLAN 10.
II. Configuration procedure
<Sysname> system-view
[Sysname] arp check enable
[Sysname] arp timer aging 10
[Sysname] vlan 10
[Sysname-vlan10] quit
[Sysname] interface vlan-interface 10
[Sysname-vlan-interface10] arp max-learning-num 1000
[Sysname-vlan-interface10] quit
[Sysname] interface Ethernet 1/0/2
[Sysname-Ethernet1/0/2] port access vlan 10
[Sysname-Ethernet1/0/2] quit
[Sysname] arp static 192.168.1.1 000f-e201-0000 10 ethernet1/0/2
1.6.2 ARP Source Suppression Configuration Example
I. Network requirements
l Switch A is deployed at access layer, with Ethernet1/0/1 connected to PC.
l ARP source suppression is enabled on Switch A to guard against the attacks of destination IP address unreachable packets sent by PC, thereby improving switch operating efficiency.
II. Network diagram
Figure 1-3 Network diagram for ARP source suppression configuration
III. Configuration procedure
<Sysname> system-view
[Sysname] arp source-suppression enable
[Sysname] arp source-suppression limit 100
Chapter 2 Proxy ARP Configuration
2.1 Proxy ARP Overview
For an ARP request of a host on a network to be forwarded to an interface that is on the same network but isolated at Layer 2 or a host on another network, the device connecting the two physical or virtual networks must be able to respond to the request. This is achieved by proxy ARP.
Proxy ARP implements Layer 3 communication between VLAN interfaces isolated at Layer 2 or located on different networks.
In one of the following cases, you need to enable the local proxy ARP:
l Layer 2 port isolation is enabled on the S3610&S5510 series Ethernet switch or a switch it connects to.
l Isolate-user-vlan is enabled on a switch which is connected to the S3610&S5510 series Ethernet switch.
2.2 Enabling Proxy ARP
Follow these steps to enable proxy ARP in VLAN interface view/Ethernet interface view or enable local proxy ARP in VLAN interface view:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter VLAN interface view |
interface vlan-interface vlan-id |
— |
|
Enable proxy ARP |
proxy-arp enable |
Required Disabled by default |
|
Enable local proxy ARP |
local-proxy-arp enable |
Required Disabled by default |
2.3 Displaying Proxy ARP
|
To do… |
Use the command… |
Remarks |
|
Display whether proxy ARP is enabled |
display proxy-arp [ interface vlan-interface vlan-id ] |
Available in any view |
|
Display whether local proxy ARP is enabled |
display local-proxy-arp [ interface vlan-interface vlan-id ] |
Available in any view |
2.4 Proxy ARP Configuration Example
2.4.1 Proxy ARP Configuration Example
I. Network requirement
PC1 belongs to VLAN1, and PC4 belongs to VLAN2. Configure proxy ARP on the device to enable the communication between the two.
II. Network diagram
Figure 2-1 Network diagram for proxy ARP
III. Configuration procedure
# Create VLAN 1 and VLAN 2 on the switch, add Ethernet1/0/1 to VLAN 1, Ethernet1/0/2 to VLAN 2. (Details are omitted.)
# Enable proxy ARP on VLAN-interface1 and VLAN-interface2 to realize communication between PC1 and PC4.
<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] ip address 192.168.10.99 255.255.255.0
[Sysname-Vlan-interface1] proxy-arp enable
[Sysname-Vlan-interface1] quit
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] ip address 192.168.20.99 255.255.255.0
[Sysname-Vlan-interface2] proxy-arp enable
[Sysname-Vlan-interface2] quit
2.4.2 Local Proxy ARP Configuration Example in Case of Port Isolation
I. Network requirement
l PC1 and PC2 belong to the same VLAN, and are connected to Ethernet1/0/3 and Ethernet1/0/4 of Switch B respectively.
l Switch A (S3610-28P) is connected to Switch B via Ethernet1/0/1.
l Ethernet1/0/3 and Ethernet1/0/4 isolated at layer 2 can implement layer 3 communication..
II. Network diagram
Figure 2-2 Network diagram for local proxy ARP between isolated ports
III. Configuration procedure
1) Configure Switch B
# Add Ethernet1/0/2, Ethernet1/0/3 and Ethernet1/0/3 to VLAN 2. PC1 and PC2 are isolated and unable to exchange Layer 2 packets.
For detailed configuration information, refer to Port Isolation Configuration.
2) Configure Switch A (S3610-28P)
# Create VLAN 2, and add Ethernet1/0/1 to VLAN 2.
For detailed configuration information, refer to VLAN Configuration.
# Create Vlan-interface 2 on Switch A, and configure local proxy ARP to let PC1 and PC2 communicate at Layer 3.
<SwitchA> system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] local-proxy-arp enable
[SwitchA-Vlan-interface2] quit
2.4.3 Local Proxy ARP Configuration Example in Isolate-user-vlan
I. Network requirement
l Switch A (S3610-28P) is connected to Switch B via Ethernet1/0/1.
l VLAN 5 on the Switch is an isolate-user-vlan, which includes uplink port Ethernet1/0/1 and two secondary VLANs (VLAN 2 and VLAN3). Ethernet1/0/2 belongs to VLAN 2, and Ethernet1/10/3 belongs to VLAN 3.
l Layer 3 communication is implemented between VLAN 2 and VLAN 3.
II. Networkdiagram
Figure 2-3 Network diagram for local proxy ARP configuration in isolate-user-vlan
III. Configuration procedure
1) Configure Switch B
# Create VLAN 2, VLAN 3, and VLAN 5 on Switch B. Add Ethernet1/0/2 to VLAN2, Ethernet1/0/3 to VLAN 3, and Ethernet1/0/1 to VLAN 5. Configure VLAN5 as the isolate-user-vlan, and VLAN 2 and VLAN 3 as secondary VLANs. Configure the mappings between isolate-user-vlan and the secondary VLANs.
2) Configure Switch A (S3610-28P)
# Create VLAN5 and add Ethernet1/0/1 to it.
For detailed configuration information, refer to VLAN Configuration.
# Create Vlan-interface5 on Switch A. Configure local proxy ARP to implement communication between VLAN 2 and VLAN 3.
[SwitchA] interface vlan-interface 5
[SwitchA-Vlan-interface5] local-proxy-arp enable
[SwitchA-Vlan-interface5] quit
