Login
- Table of Contents
-
- H3C S9500 Operation Manual-Release2132[V2.03]-02 IP Services Volume
- 00-1Cover
- 01-ARP Configuration
- 02-DHCP Configuration
- 03-DNS Configuration
- 04-IP Addressing Configuration
- 05-IP Performance Configuration
- 06-UDP Helper Configuration
- 07-IPv6 Basics Configuration
- 08-Dual Stack Configuration
- 09-Tunneling Configuration
- 10-Adjacency Table Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-ARP Configuration | 121.72 KB |
1.1.3 ARP Address Resolution Process
1.2.1 Configuring a Static ARP Entry
1.2.2 Configuring the Maximum Number of ARP Entries a VLAN Interface Can Learn
1.2.3 Setting Aging Time for Dynamic ARP Entries
1.2.4 Enabling the ARP Entry Check
1.2.5 Enabling the Support for ARP Requests from a Natural Network
1.2.6 ARP Configuration Examples
1.3 Configuring Gratuitous ARP
1.3.1 Introduction to Gratuitous ARP
1.3.2 Configuring Gratuitous ARP
1.4 Configuring ARP Source Suppression
1.4.1 Introduction to ARP Source Suppression
1.4.2 Configuring ARP Source Suppression
1.5 Configuring ARP Defense Against IP Packet Attack
1.5.1 Introduction to ARP Defense Against IP Packet Attack
1.5.2 Enabling ARP Defense Against IP Packet Attack
1.6 Configuring ARP Active Acknowledgement
1.6.2 Configuring the ARP Active Acknowledgement Function
1.7 Configuring ARP Packet Source MAC Address Consistency Check
1.7.2 Configuring ARP Packet Source MAC Address Consistency Check
1.8 Displaying and Maintaining ARP
Chapter 2 Proxy ARP Configuration
2.3 Displaying and Maintaining Proxy ARP
2.4 Proxy ARP Configuration Example
Chapter 1 ARP Configuration
When configuring ARP, go to these sections for information you are interested in:
l Configuring ARP Source Suppression
l Configuring ARP Defense Against IP Packet Attack
l Configuring ARP Active Acknowledgement
l Configuring ARP Packet Source MAC Address Consistency Check
l Displaying and Maintaining ARP
1.1 ARP Overview
1.1.1 ARP Function
Address resolution protocol (ARP) is used to resolve an IP address into a data link layer address.
An IP address is the address of a host at the network layer. To send a network layer packet to a destination host, the device must know the MAC address of the destination host or the next hop. To this end, the IP address must be resolved into the corresponding MAC address. Each host maintains an IP-to-MAC mapping table that contains IP and MAC addresses of devices that communicated with the host recently.
1.1.2 ARP Message Format
The following explains the fields in Figure 1-1.
l Hardware type: This field specifies the type of a hardware address. The value “1” represents an Ethernet address.
l Protocol type: This field specifies the type of the protocol address to be mapped. The hexadecimal value “0x0800” represents an IP address.
l Hardware address length and protocol address length: They respectively specify the length of a hardware address and a protocol address, in bytes. For an Ethernet address, the value of the hardware address length field is "6”. For an IP(v4) address, the value of the protocol address length field is “4”.
l OP: Operation code. This field specifies the type of ARP message. The value “1” represents an ARP request and “2” represents an ARP reply.
l Sender hardware address: This field specifies the hardware address of the device sending the message.
l Sender protocol address: This field specifies the protocol address of the device sending the message.
l Target hardware address: This field specifies the hardware address of the device the message is being sent to.
l Target protocol address: This field specifies the protocol address of the device the message is being sent to.
1.1.3 ARP Address Resolution Process
Figure 1-2 ARP address resolution process
Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B. The resolution process is as follows:
1) Host A looks in its ARP mapping table to see whether there is an ARP entry for Host B. If Host A finds it, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.
2) If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request, in which the source IP address and source MAC address are respectively the IP address and MAC address of Host A and the destination IP address and MAC address are respectively the IP address of Host B and an all-zero MAC address. Because the ARP request is sent in broadcast mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will process the request.
3) Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.
4) After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP mapping table for subsequent packet forwarding. Meanwhile, Host A encapsulates the IP packet and sends it out.
If Host A and Host B are not on the same subnet, Host A first sends an ARP request to the gateway. The target IP address in the ARP request is the IP address of the gateway. After obtaining the MAC address of the gateway from an ARP reply, Host A sends the packet to the gateway. If the gateway maintains the ARP entry of Host B, it forwards the packet to Host B directly; if not, it broadcasts an ARP request, in which the target IP address is the IP address of Host B. After obtaining the MAC address of Host B, the gateway sends the packet to Host B.
1.1.4 ARP Mapping Table
After obtaining the destination MAC address, the device adds the IP-to-MAC mapping into its own ARP mapping table. This mapping is used for forwarding packets with the same destination in future.
An ARP mapping table contains ARP entries, which fall into two categories: dynamic and static.
1) A dynamic entry is automatically created and maintained by ARP. It can get aged, be updated by a new ARP packet, or be overwritten by a static ARP entry. When the aging timer expires or the interface goes down, the corresponding dynamic ARP entry will be removed.
2) A static ARP entry is manually configured and maintained. It cannot get aged or be overwritten by a dynamic ARP entry. It can be permanent or non-permanent.
l A permanent static ARP entry can be directly used to forward packets. When configuring a permanent static ARP entry, you must configure a VLAN and outbound interface for the entry besides the IP address and MAC address.
l A non-permanent static ARP entry cannot be directly used for forwarding data. When configuring a non-permanent static ARP entry, you only need to configure the IP address and MAC address. When forwarding IP packets, the device sends an ARP request. If the source IP and MAC addresses in the received ARP reply are the same as the configured IP and MAC addresses, the device adds the interface receiving the ARP reply into the static ARP entry. Now the entry can be used for forwarding IP packets.
& Note:
Usually ARP dynamically implements and automatically seeks mappings from IP addresses to MAC addresses, without manual intervention.
1.2 Configuring ARP
1.2.1 Configuring a Static ARP Entry
A static ARP entry is effective when the device works normally. However, when a VLAN or VLAN interface to which a static ARP entry corresponds is deleted, the entry, if permanent, will be deleted, and if non-permanent and resolved, will become unresolved.
Follow these steps to configure a static ARP entry:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure a permanent static ARP entry |
arp static ip-address mac-address [ vlan-id interface-type interface-number ] [ vpn-instance-name ] |
Required No permanent static ARP entry is configured by default. |
|
Configure a non-permanent static ARP entry |
arp static ip-address mac-address [ vpn-instance vpn-instance-name ] |
Required No non-permanent static ARP entry is configured by default. |
Caution:
The vlan-id argument must be the ID of an existing VLAN which corresponds to the ARP entries. In addition, the Ethernet interface following the argument must belong to that VLAN.
1.2.2 Configuring the Maximum Number of ARP Entries a VLAN Interface Can Learn
Follow these steps to set the maximum number of dynamic ARP entries that a VLAN interface can learn:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter VLAN interface view |
interface vlan-interface interface-number |
— |
|
Set the maximum number of dynamic ARP entries that the interface can learn |
arp max-learning-num number |
Optional 4096 by default |
1.2.3 Setting Aging Time for Dynamic ARP Entries
After dynamic ARP entries expire, the system will delete them from the ARP mapping table. You can adjust the aging time for dynamic ARP entries according to the actual network condition.
Follow these steps to set aging time for dynamic ARP entries:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set aging time for dynamic ARP entries |
arp timer aging aging-time |
Optional 20 minutes by default |
1.2.4 Enabling the ARP Entry Check
The ARP entry check function disables a device from learning multicast MAC addresses. With the ARP entry check enabled, the device cannot learn any ARP entry with a multicast MAC address, and configuring such a static ARP entry is not allowed; otherwise, the system displays error messages.
After the ARP entry check is disabled, the device can learn multicast ARP entries, and you can also configure such static ARP entries on the device.
Follow these steps to enable the ARP entry check:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the ARP entry check |
arp check enable |
Optional Enabled by default. That is, the device does not learn multicast MAC addresses. |
1.2.5 Enabling the Support for ARP Requests from a Natural Network
When learning MAC addresses, if the device finds that the source IP address of an ARP packet and the IP address of the inbound interface are not on the same subnet, the device will further judge whether these two IP addresses are on the same natural network.
Suppose that the IP address of Vlan-interface10 is 10.10.10.5/24 and that this interface receives an ARP packet from 10.11.11.1/8. Because these two IP addresses are not on the same subnet, Vlan-interface10 cannot process the packet. With this feature enabled, the device will make judgment on natural network basis. Because the IP address of Vlan-interface10 is a Class A address and its default mask length is 8, these two IP addresses are on the same natural network. In this way, Vlan-interface10 can learn the MAC address of the source IP address 10.11.11.1.
Follow these steps to enable the support for ARP requests from a natural network:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the support for ARP requests from a natural network |
naturemask-arp enable |
Required Disabled by default |
1.2.6 ARP Configuration Examples
I. Network requirements
l Disable ARP entry check.
l Set the aging time for dynamic ARP entries to 10 minutes.
l Enable the support for ARP requests from a natural network.
l Set the maximum number of dynamic ARP entries that VLAN-interface 10 can learn to 1,000.
l Add a static ARP entry, with the IP address being 192.168.1.1, the MAC address being 00e0-fc01-0000, and the outbound interface being Ethernet1/1/1 of VLAN 10.
l Add a static ARP entry, with the IP address being 192.168.1.1/24, the MAC address being 000F-E201-0070, and the outbound interface being Ethernet 1/1/1 of VLAN 10.
II. Configuration procedure
<Sysname> system-view
[Sysname] undo arp check enable
[Sysname] arp timer aging 10
[Sysname] naturemask-arp enable
[Sysname] vlan 10
[Sysname-vlan10] quit
[Sysname] interface ethernet 1/1/1
[Sysname-Ethernet1/1/1] port access vlan 10
[Sysname-Ethernet1/1/1] quit
[Sysname] interface Vlan-interface 10
[Sysname-Vlan-interface10] arp max-learning-num 1000
[Sysname-Vlan-interface10] quit
[Sysname] arp static 192.168.1.1 000f-e201-0070 10 ethernet1/1/1
1.3 Configuring Gratuitous ARP
1.3.1 Introduction to Gratuitous ARP
A gratuitous ARP packet is a special ARP packet, in which the source IP address and destination IP address are both the IP address of the sender, the source MAC address is the MAC address of the sender, and the destination MAC address is a broadcast address.
A device can implement the following functions by sending gratuitous ARP packets:
l Determining whether its IP address is already used by another device.
l Informing other devices of its MAC address change so that they can update their ARP entries.
Upon receiving a gratuitous ARP packet, the device will do the following:
l If no corresponding ARP entry for the ARP packet is found in the cache, the device adds the information carried in the packet to its own dynamic ARP entry table.
l If the source IP address of the ARP packet is identical to its own IP address, the device returns an ARP reply to inform the sender of an address conflict.
1.3.2 Configuring Gratuitous ARP
Follow these steps to configure gratuitous ARP:
|
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
Enable the device to send gratuitous ARP packets when receiving ARP requests from another network segment |
gratuitous-arp-sending enable |
Optional By default, a device cannot send gratuitous ARP packets when receiving ARP requests from another network segment. |
|
Enable the gratuitous ARP packet learning function |
gratuitous-arp-learning enable |
Required Disabled by default. |
1.4 Configuring ARP Source Suppression
1.4.1 Introduction to ARP Source Suppression
If hosts on a network attack the device by sending large amounts of IP packets whose IP addresses cannot be resolved, the following consequences will be resulted in:
l The device sends large amounts of ARP request messages to the destination subnet, which increases the load of the destination subnet.
l The device continuously resolves destination IP addresses, which increase the load of the CPU.
To protect against such attacks, S9500 series switches provide the ARP source suppression function. With the function enabled, whenever the number of packets with unresolvable destination IP addresses from a host within five seconds exceeds a specified threshold, the device suppress the sending host from triggering any ARP requests within the following five seconds.
1.4.2 Configuring ARP Source Suppression
Follow these steps to configure ARP source suppression:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable ARP source suppression |
arp source-suppression enable |
Required Disabled by default |
|
Set the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in five consecutive seconds |
arp source-suppression limit limit-value |
Optional 10 by default |
1.5 Configuring ARP Defense Against IP Packet Attack
1.5.1 Introduction to ARP Defense Against IP Packet Attack
In forwarding an IPv4 packet, a device depends on ARP to resolve the MAC address of the next hop. If the address resolution is successful, the forwarding chip forwards the packet directly. Otherwise, the device runs software for further processing. When large amounts of IP packets for which ARP cannot resolve the IP addresses of the next hops arrive at a device, the software on the device will be called again and again and the CPU of the device will be overburdened. This is called IP packet attack.
To protect a device against IP packet attack, you can configure the ARP defense against IP packet attack function. After receiving an IP packet with the IP address of the next hop unreachable (an IP packet that ARP cannot resolve the MAC address of the next hop), a device with this function creates a black hole route immediately and the forwarding chip simply drops all packets to the address. Note that a black hole route can get aged, in which case a subsequent IP packet with the same next hop triggers the above process. This protects the device against the IP packet attack efficiently, reducing the load of the CPU.
1.5.2 Enabling ARP Defense Against IP Packet Attack
The ARP defense against IP packet attack function works for forwarded packets and those originated by the device.
Follow these steps to configure ARP defense against IP packet attack:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable ARP defense against IP packet attack |
arp resolving-route enable |
Optional Enabled by default |
1.6 Configuring ARP Active Acknowledgement
1.6.1 Introduction
Typically, the ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP packets.
With this feature enabled, the gateway, upon receiving an ARP packet with a different source MAC address from that in the corresponding ARP entry, checks whether the ARP entry has been updated within the last minute:
l If yes, the gateway ignores the ARP packet;
l If not, the gateway sends a unicast request to the source MAC address of the ARP entry.
Then,
l If a response is received within five seconds, the ARP packet is ignored;
l If no response is received, the gateway sends a unicast request to the MAC address of the ARP packet.
Then,
l If a response is received within five seconds, the gateway updates the ARP entry;
l If not, the ARP entry is not updated.
1.6.2 Configuring the ARP Active Acknowledgement Function
Follow these steps to configure ARP active acknowledgement:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the ARP active acknowledgement function |
arp anti-attack active-ack enable |
Required Disabled by default. |
1.7 Configuring ARP Packet Source MAC Address Consistency Check
1.7.1 Introduction
This feature enables the device to filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message.
1.7.2 Configuring ARP Packet Source MAC Address Consistency Check
Follow these steps to enable ARP packet source MAC address consistency check:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable ARP packet source MAC address consistency check |
arp anti-attack valid-check enable |
Required Disabled by default. |
1.8 Displaying and Maintaining ARP
|
To do… |
Use the command… |
Remarks |
|
Display the ARP entries in the ARP mapping table |
display arp { { all | dynamic | static } [ slot slot-id ] | vlan vlan-id | interface interface-type interface-number } [ [ verbose ] [ | { begin | exclude | include } text ] | count ] |
Available in any view |
|
Display the ARP entries for a specified IP address |
display arp ip-address [ slot slot-id ] [ verbose ] [ | { begin | exclude | include } text ] |
Available in any view |
|
Display the ARP entries for a specified VPN instance |
display arp vpn-instance vpn-instance-name [ | { begin | exclude | include } text | count ] |
Available in any view |
|
Display the aging time for dynamic ARP entries |
display arp timer aging |
Available in any view |
|
Display the configuration information of ARP source suppression |
display arp source-suppression |
Available in any view |
|
Clear ARP entries from the ARP mapping table |
reset arp { all | dynamic | static | slot slot-id | interface interface-type interface-number } |
Available in user view |
Chapter 2 Proxy ARP Configuration
When configuring proxy ARP, go to these sections for information you are interested in:
l Displaying and Maintaining Proxy ARP
l Proxy ARP Configuration Example
2.1 Proxy ARP Overview
If a host sends an ARP request for the MAC address of another host that resides in another subnet or is isolated from the sending host at Layer 2, the device in between must be able to respond to the request to allow Layer 3 communication between the two hosts (in this case, the sending host considers the requested host is on the same subnet). This is achieved by proxy ARP.
Proxy ARP involves proxy ARP and local proxy ARP.
In one of the following cases, you need to enable local proxy ARP:
l Devices connected to different isolated layer 2 ports in the same VLAN need to implement layer 3 communication.
l With the super VLAN function enabled, devices in different sub VLANs need to implement layer 3 communication.
l With the isolate-user-vlan function enabled, devices in different secondary VLANs need to implement layer 3 communication.
2.2 Enabling Proxy ARP
Follow these steps to enable proxy ARP or enable local proxy ARP:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter VLAN interface view |
interface vlan-interface-type interface-number |
Required |
|
Enable proxy ARP |
proxy-arp enable |
Required Disabled by default |
|
Enable local proxy ARP |
local-proxy-arp enable |
Required Disabled by default |
2.3 Displaying and Maintaining Proxy ARP
|
To do… |
Use the command… |
Remarks |
|
Display whether proxy ARP is enabled |
display proxy-arp [ interface interface-type interface-number ] |
Available in any view |
|
Display whether local proxy ARP is enabled |
display local-proxy-arp [ interface interface-type interface-number ] |
Available in any view |
2.4 Proxy ARP Configuration Example
I. Network requirements
Host A and Host D have IP addresses of the same network segment. Host A belongs to VLAN 1, and Host D belongs to VLAN 2. Configure proxy ARP on the device to enable the communication between the two hosts.
II. Network diagram
Figure 2-1 Network diagram for proxy ARP
III. Configuration procedure
# Configure Proxy ARP on the device to enable the communication between Host A and Host D.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] vlan 1
[Sysname-vlan1] vlan 2
[Sysname-vlan2] quit
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] ip address 192.168.10.99 255.255.255.0
[Sysname-Vlan-interface1] proxy-arp enable
[Sysname-Vlan-interface1] quit
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] ip address 192.168.20.99 255.255.255.0
[Sysname-Vlan-interface2] proxy-arp enable
[Sysname-Vlan-interface2] quit
& Note:
For the local proxy ARP configuration example, refer to the Super VLAN Configuration Example in VLAN Configuration of the Access Volume.
