Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-ARP Commands | 88.13 KB |
Table of Contents
Chapter 1 ARP Configuration Commands
1.1 ARP Configuration Commands
1.1.9 display arp vpn-instance
1.2 Gratuitous ARP Configuration Commands
1.2.1 gratuitous-arp-learning enable
1.2.2 gratuitous-arp-sending enable
1.3 ARP Source Suppression Configuration Commands
1.3.1 arp source-suppression enable
1.3.2 arp source-suppression limit
1.3.3 display arp source-suppression
1.4 ARP Defense Against IP Packet Attack Configuration Commands
1.4.1 arp resolving-route enable
1.5 ARP Active Acknowledgement Configuration Commands
1.5.1 arp anti-attack active-ack enable
1.6 ARP Packet Source MAC Address Consistency Check Configuration Commands
1.6.1 arp anti-attack valid-ack enable
Chapter 2 Proxy ARP Configuration Commands
2.1 Proxy ARP Configuration Commands
Chapter 1 ARP Configuration Commands
1.1 ARP Configuration Commands
1.1.1 arp check enable
Syntax
arp check enable
undo arp check enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the arp check enable command to enable ARP entry check. With this function enabled, the device cannot learn any ARP entry with a multicast MAC address. Configuring such a static ARP entry is not allowed; otherwise, the system displays error messages.
Use the undo arp check enable command to disable the function. After the ARP entry check is disabled, the device can learn multicast ARP entries, and you can also configure such static ARP entries on the device.
By default, ARP entry check is enabled.
Examples
# Enable ARP entry check.
<Sysname> system-view
[Sysname] undo check enable
1.1.2 arp max-learning-num
Syntax
arp max-learning-num number
undo arp max-learning-num
View
VLAN interface view
Default Level
2: System level
Parameters
number: Maximum number of dynamic ARP entries that the interface can learn. The default is 4096.
Description
Use the arp max-learning-num command to set the maximum number of dynamic ARP entries that the interface can learn.
Use the undo arp max-learning-num command to restore the default.
Examples
# Specify VLAN interface 40 to learn up to 500 dynamic ARP entries.
<Sysname> system-view
[Sysname] interface vlan-interface 40
[Sysname-Vlan-interface40]arp max-learning-num 500
1.1.3 arp static
Syntax
arp static ip-address mac-address [ vlan-id interface-type interface-number ] [ vpn-instance vpn-instance-name ]
undo arp ip-address [vpn-instance-name ]
View
System view
Default Level
2: System level
Parameters
ip-address: IP address of the static ARP entry.
mac-address: MAC address of the static ARP entry, in the format H-H-H.
vlan-id: ID of a VLAN to which the static ARP entry belongs to.
interface-type interface-number: Interface type and interface number.
vpn-instance vpn-instance-name: Name of a VPN instance, a case-sensitive string of 1 to 31 characters.
Description
Use the arp static command to configure a static ARP entry in the ARP mapping table.
Use the undo arp command to remove an ARP entry.
ARP entries fall into two categories: dynamic and static.
1) A dynamic entry is automatically created and maintained by ARP. It can get aged, be updated by a new ARP packet, or be overwritten by a static ARP entry. When the aging timer expires or the interface goes down, the corresponding dynamic ARP entry will be removed.
2) A static ARP entry is manually configured and maintained. It can be permanent or non-permanent.
l A permanent static ARP entry can be directly used to forward packets, it cannot be aged out or overwritten by a dynamic ARP entry. When configuring a permanent static ARP entry, you must configure a VLAN and outbound interface for the entry besides the IP address and MAC address.
l A non-permanent static ARP entry cannot be directly used for forwarding packets. When configuring a non-permanent static ARP entry, you only need to configure the IP address and MAC address. When forwarding IP packets, the device sends an ARP request. If the source IP and MAC addresses in the received ARP reply are the same as the configured IP and MAC addresses, the entry can be used for forwarding IP packets.
By default, the ARP entry table is empty and ARP dynamically obtains IP-to-MAC mappings. Only in special cases, manual configuration is needed. ARP entries are used for resolution of addresses in the same LAN. There are other methods for address resolution in WANs, such as reverse address resolution in FR.
Note that:
l A static ARP entry is effective when the device works normally. However, when the VLAN or VLAN interface to which an ARP entry corresponds is deleted, the entry, if permanent, will be deleted, and if non-permanent and resolved, will become unresolved.
l The vlan-id argument is used to specify the corresponding VLAN of an ARP entry and must be the ID of an existing VLAN. In addition, the VLAN interface of the VLAN must have been created.
l S9500 series switches support both permanent and non-permanent ARP entries configuration.
Related commands: reset arp, display arp, and debugging arp.
Examples
# Configure a static ARP entry, with the IP address being 202.38.10.2, the MAC address being 000f-e201-0000, and the outbound interface being Ethernet 1/1/1 of VLAN 10.
<Sysname> system-view
[Sysname] arp static 202.38.10.2 000f-e201-0000 10 ethernet 1/1/1
1.1.4 arp timer aging
Syntax
arp timer aging aging-time
undo arp timer aging
View
System view
Default Level
2: System level
Parameters
aging-time: Aging time for dynamic ARP entries in minutes.
Description
Use the arp timer aging command to set aging time for dynamic ARP entries.
Use the undo arp timer aging command to restore the default.
The default aging time is 20 minutes.
Related commands: display arp timer aging.
Examples
# Set aging time for dynamic ARP entries to 10 minutes.
<Sysname> system-view
1.1.5 debugging arp
Syntax
debugging arp { packet | status }
undo debugging arp { packet | status }
View
User view
Default Level
1: Monitor level
Parameters
packet: ARP packet debugging.
status: ARP status debugging.
Description
Use the debugging arp command to enable specified ARP debugging.
Use the undo debugging arp command to disable specified ARP debugging.
No ARP debugging is enabled by default.
Related commands: arp static, display arp.
Examples
# Enable ARP packet debugging.
<Sysname> debugging arp packet
*Dec 29 14:56:23:132 2006 Sysname ARP/7/arp_send:Slot=3; Send an ARP Packet, operation : 1, sender_eth_addr :
000f-e200-3500,sender_ip_addr : 10.110.91.159, target_eth_addr : 0000-0000-0000, target_ip_addr : 10.110.91.193
*Dec 29 14:56:22:876 2006 Sysname ARP/7/arp_rcv:Slot=3; Receive an ARP Packet, operation : 2, sender_eth_addr :
0050-ba22-6fd7, sender_ip_addr : 10.110.91.193, target_eth_addr : 000f-e200-3500, target_ip_addr : 10.110.91.159
Table 1-1 Description on the fields of the debugging arp packet command
|
Field |
Description |
|
operation |
ARP operation code: 1 for ARP request, 2 for ARP response |
|
sender_eth_addr |
Source Ethernet address |
|
sender_ip_addr |
Source IP address |
|
target_eth_addr |
Destination Ethernet address, all zeros for a request |
|
target_ip_addr |
Destination IP address |
1.1.6 display arp
Syntax
display arp { { all | dynamic | static } [ slot slot-id ] | vlan vlan-id | interface interface-type interface-number } [ [ verbose ] [ | { begin | exclude | include } text ] | count ]
View
Any view
Default Level
1: Monitor level
Parameters
all: Displays all ARP entries.
dynamic: Displays dynamic ARP entries.
static: Displays static ARP entries.
slot slot-id: Displays the ARP entries of the specified slot.
vlan vlan-id: Displays the ARP entries of the specified VLAN. The VLAN ID ranges from 1 to 4,094.
interface interface-type interface-number: Displays the ARP entries of the specified interface.
verbose: Displays detailed information about ARP entries.
|: Uses a regular expression to specify the ARP entries to be displayed.
begin: Displays ARP entries from the first one containing the specified string.
exclude: Displays the ARP entries that do not contain the specified string.
include: Displays the ARP entries containing the specified string.
text: A string for matching.
count: Displays the number of ARP entries.
Description
Use the display arp command to display ARP entries in the ARP mapping table. Using the display arp all command displays all ARP entries.
Related commands: arp static, reset arp, and debugging arp.
Examples
# Display the detailed information of all ARP entries.
<Sysname> display arp all verbose
Type: S-Static D-Dynamic
IP Address MAC Address VLAN ID Interface Aging Type
Vpn-instance Name
20.1.1.1 000f-e200-0001 N/A N/A N/A S
test
193.1.1.70 00e0-fe50-6503 100 GE1/1/1 DIS D
[No Vrf]
192.168.0.115 000d-88f7-9f7d 1 GE1/1/4 DIS D
[No Vrf]
192.168.0.39 0012-a990-2241 1 GE1/1/4 DIS D
[No Vrf]
Table 1-2 Description on the fields of the display arp command
|
Field |
Description |
|
IP Address |
IP address in an ARP entry |
|
MAC Address |
MAC address in an ARP entry |
|
VLAN ID |
VLAN ID contained a static ARP entry |
|
Interface |
Outbound interface in an ARP entry |
|
Aging |
Aging time for a dynamic ARP entry in minutes |
|
DIS |
Indicates the ARP entry was not learned by the board. |
|
Type |
ARP entry type: D stands for dynamic, S for static, and A for authorized. |
|
Vpn-instance Name |
Name of VPN instance. [No Vrf] means no VPN instance is configured for the corresponding ARP. |
# Display the number of all ARP entries
<Sysname> display arp all count
Total entry(ies): 4
1.1.7 display arp ip-address
Syntax
display arp ip-address [ slot slot-id ] [ verbose ] [ | { begin | exclude | include } text ]
View
Any view
Default Level
1: Monitor level
Parameters
ip-address: Displays the ARP entry for the specified IP address.
slot slot-id: Displays the ARP entry for the specified slot.
verbose: Displays the detailed information about ARP entries.
|: Uses a regular expression to specify the ARP entries to be displayed.
begin: Displays the ARP entries from the first one containing the specified string.
exclude: Displays the ARP entries that do not contain the specified string.
Include: Displays the ARP entries that contain the specified string.
text: A character string.
Description
Use the display arp ip-address command to display the ARP entry for a specified IP address.
Related commands: arp static, and reset arp.
Examples
# Display the corresponding ARP entry for the IP address 20.1.1.1.
<Sysname> display arp 20.1.1.1
Type: S-Static D-Dynamic
IP Address MAC Address VLAN ID Interface Aging Type
20.1.1.1 000f-e201-0001 22 GE4/2/4 N/A S
Table 1-3 Description on the fields of the display arp ip-address command
|
Field |
Description |
|
IP Address |
IP address of the ARP entry |
|
MAC Address |
MAC address of the ARP entry |
|
VLAN ID |
VLAN ID of the ARP entry |
|
Interface |
Interface of the ARP entry |
|
Aging |
Remaining aging time for a dynamic ARP entry, in minutes |
|
Type |
ARP entry type: D for dynamic, S for static |
1.1.8 display arp timer aging
Syntax
display arp timer aging
View
Any view
Default Level
2: System level
Parameters
None
Description
Use the display arp timer aging command to display the aging time for dynamic ARP entries.
Related commands: arp timer aging.
Examples
# Display the aging time for dynamic ARP entries.
<Sysname> display arp timer aging
Current ARP aging time is 20 minute(s)(default)
1.1.9 display arp vpn-instance
Syntax
display arp vpn-instance vpn-instance-name [ | { begin | exclude | include } text | count ]
View
Any view
Default Level
1: Monitor level
Parameters
vpn-instance-name: Name of VPN instance, a case-insensitive string of 1 to 31 characters.
|: Uses a regular expression to specify the ARP entries to be displayed.
begin: Displays the ARP entries from the first one that contains the specified string.
exclude: Displays the ARP entries that do not contain the specified string.
include: Displays the ARP entries that contain the specified string.
text: A character string.
count: Displays the number of ARP entries.
Description
Use the display arp vpn-instance command to display the ARP entries for a specified VPN instance.
Related commands: arp static and reset arp.
Examples
# Display ARP entries for the VPN instance named test.
<Sysname> display arp vpn-instance test
Type: S-Static D-Dynamic
IP Address MAC Address VLAN ID Interface Aging Type
Vpn-instance Name
20.1.1.1 000f-e200-0001 N/A N/A N/A S
test
Table 1-4 Description on the fields of the display arp vpn-instance command
|
Field |
Description |
|
IP Address |
IP address of the ARP entry |
|
MAC Address |
MAC address of the ARP entry |
|
VLAN ID |
VLAN ID of the ARP entry |
|
Interface |
Interface of the ARP entry |
|
Aging |
Remaining aging time for a dynamic ARP entry, in minutes |
|
Type |
ARP entry type: D for dynamic, S for static |
|
Vpn-instance Name |
VPN instance name |
1.1.10 naturemask-arp enable
Syntax
naturemask-arp enable
undo naturemask-arp enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the naturemask-arp enable command to cancel the restriction that ARP requests must be from the same subnet. In this case, ARP requests from a natural network are supported.
Use the undo naturemask-arp enable command to restore the default.
By default, the support for ARP requests from a natural network is disabled.
Examples
# Enable the support for ARP requests from a natural network.
<Sysname> system-view
[Sysname] naturemask-arp enable
1.1.11 reset arp
Syntax
reset arp { all | dynamic | static | slot slot-id | interface interface-type interface-number }
View
User view
Default Level
2: System level
Parameters
all: Clears all ARP entries.
dynamic: Clears all dynamic ARP entries.
static: Clears all static ARP entries.
slot slot-id: Clears the ARP entries for the specified slot.
interface interface-type interface-number: Clears the ARP entries for the specified interface.
Description
Use the reset arp command to clear ARP entries from the ARP mapping table.
Note that:
With interface interface-type interface-number or slot slot-id specified, the command clears only dynamic entries of the interface or the slot.
Related commands: arp static and display arp.
Examples
# Clear all static ARP entries.
<Sysname> reset arp static
1.2 Gratuitous ARP Configuration Commands
1.2.1 gratuitous-arp-learning enable
Syntax
gratuitous-arp-learning enable
undo gratuitous-arp-learning enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the gratuitous-arp-learning enable command to enable the gratuitous ARP packet learning function.
Use the undo gratuitous-arp-learning enable command to disable the function.
By default, the function is disabled.
Examples
# Enable the gratuitous ARP packet learning function.
<Sysname> system-view
[Sysname] gratuitous-arp-learning enable
1.2.2 gratuitous-arp-sending enable
Syntax
gratuitous-arp-sending enable
undo gratuitous-arp-sending enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the gratuitous-arp-sending enable command to enable a device to send gratuitous ARP packets when receiving ARP requests from another network segment.
Use the undo gratuitous-arp-sending enable command to restore the default.
By default, an S9500 series switch cannot send gratuitous ARP packets when receiving ARP requests from another network segment.
Related commands: gratuitous-arp-learning enable.
Examples
# Enable a device to send gratuitous ARP packets when receiving ARP requests from another network segment.
<Sysname> system-view
[Sysname] gratuitous-arp-sending enable
1.3 ARP Source Suppression Configuration Commands
1.3.1 arp source-suppression enable
Syntax
arp source-suppression enable
undo arp source-suppression enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the arp source-suppression enable command to enable the ARP source address suppression function.
Use the undo arp source-suppression enable command to disable the function.
By default, the ARP source address suppression function is disabled.
With the function enabled, whenever the number of packets with unresolvable IP addresses that a host sends to the device within five seconds exceeds the specified threshold, the device drops all subsequent packets with the same source IP address in another five coming seconds. This helps in protecting the device against the attack.
Related commands: display arp source-suppression.
Examples
# Enable the ARP source suppression function.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] arp source-suppression enable
1.3.2 arp source-suppression limit
Syntax
arp source-suppression limit limit-value
undo arp source-suppression limit
View
System view
Default Level
2: System level
Parameters
limit-value: Maximum number of packets with the same source IP address but unresolvable destination IP addresses that a port can receive in five seconds. It ranges from 2 to 1024.
Description
Use the arp source-suppression limit command to set the maximum number of packets with the same source IP address but unresolvable destination IP addresses that a port can receive in five seconds.
Use the undo arp source-suppression limit command to restore the default value, which is 10.
With this feature configured, whenever the number of packets with unresolvable destination IP addresses from a host within five seconds exceeds the specified threshold, the device suppress the sending host from triggering any ARP requests within the following five seconds.
Related commands: display arp source-suppression.
Examples
# Set the maximum number of packets with the same source address but unresolvable destination IP addresses that the device can receive in five seconds to 100.
<Sysname> system-view
[Sysname] arp source-suppression limit 100
1.3.3 display arp source-suppression
Syntax
display arp source-suppression
View
Any view
Default Level
2: System level
Parameters
None
Description
Use the display arp source-suppression command to display information about the current ARP source suppression configuration.
Examples
# Display information about the current ARP source suppression configuration.
<Sysname> display arp source-suppression
ARP source suppression is enabled
Current suppression limit: 10
Current cache length: 16
Table 1-5 Description on fields of display arp source-suppression
|
Field |
Description |
|
ARP source suppression is enabled |
The ARP source suppression function is enabled |
|
Current suppression limit |
Maximum number of packets with the same source IP address but unresolvable IP addresses that the device can receive in five seconds |
|
Current cache length |
Size of cache used to record source suppression information |
1.4 ARP Defense Against IP Packet Attack Configuration Commands
1.4.1 arp resolving-route enable
Syntax
arp resolving-route enable
undo arp resolving-route enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the arp resolving-route enable command to enable ARP defense against IP packet attacks.
Use the undo arp resolving-route enable command to disable the function.
By default, this function is enabled.
With this function enabled and after receiving an IP packet that ARP cannot resolve the MAC address of the next hop, the hardware forwarding chip of the switch simply drops all packets to the destination in the next 25 seconds. This protects the device against the IP packet attack efficiently, reducing the load of the CPU.
Examples
# Enable ARP defense against IP packet attacks.
<Sysname> system-view
[Sysname] arp resolving-route enable
1.5 ARP Active Acknowledgement Configuration Commands
1.5.1 arp anti-attack active-ack enable
Syntax
arp anti-attack active-ack enable
undo arp anti-attack active-ack enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the arp anti-attack active-ack enable command to enable the ARP active acknowledgement function.
Use the undo arp anti-attack active-ack enable command to restore the default.
By default, the ARP active acknowledgement function is disabled.
Typically, this feature is configured on gateway devices to identify invalid ARP packets.
With this feature enabled, the gateway, upon receiving an ARP packet with a different source MAC address from that in the corresponding ARP entry, checks whether the ARP entry has been updated within the last minute:
l If yes, the gateway ignores the ARP packet;
l If not, the gateway sends a unicast request to the source MAC address of the ARP entry.
Then,
l If a response is received within five seconds, the ARP packet is ignored;
l If no response is received, the gateway sends a unicast request to the source MAC address of the ARP packet.
Then,
l If a response is received within five seconds, the gateway updates the ARP entry;
l If not, the ARP entry is not updated.
Examples
# Enable the ARP active acknowledgement function.
<Sysname> system-view
[Sysname] arp anti-attack active-ack enable
1.6 ARP Packet Source MAC Address Consistency Check Configuration Commands
1.6.1 arp anti-attack valid-ack enable
Syntax
arp anti-attack valid-check enable
undo arp anti-attack valid-check enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the arp anti-attack valid-check enable command to enable ARP packet source MAC address consistency check on the gateway. After you execute this command, the gateway device can filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message.
Use the undo arp anti-attack valid-check enable command to disable ARP packet source MAC address consistency check.
By default, ARP packet source MAC address consistency check is disabled.
Examples
# Enable ARP packet source MAC address consistency check.
<Sysname> system-view
[Sysname] arp anti-attack valid-check enable
Chapter 2 Proxy ARP Configuration Commands
2.1 Proxy ARP Configuration Commands
2.1.1 display local-proxy-arp
Syntax
display local-proxy-arp [ interface interface-type interface-number ]
View
Any view
Default Level
2: System level
Parameters
interface interface-type interface-number: Displays the local proxy ARP status of the specified interface.
Description
Use the display local-proxy-arp command to display the status of the local proxy ARP.
Related commands: local-proxy-arp enable.
Examples
# Display the status of the local proxy ARP on VLAN-interface 2.
<Sysname> display local-proxy-arp interface vlan-interface 2
Interface Vlan-interface2
Local Proxy ARP status: enabled
2.1.2 display proxy-arp
Syntax
display proxy-arp [ interface interface-type interface-number ]
View
Any view
Default Level
2: System level
Parameters
interface interface-type interface-number: Displays the proxy ARP status of the specified interface.
Description
Use the display proxy-arp command to display the proxy ARP status.
Related commands: proxy-arp enable.
Examples
# Display the proxy ARP status on VLAN-interface 22.
<Sysname> display arp proxy interface Vlan-interface22
Interface Vlan-interface22
Proxy ARP status: enabled
2.1.3 local-proxy-arp enable
Syntax
local-proxy-arp enable
undo local-proxy-arp enable
View
VLAN interface view
Default Level
2: System level
Parameters
None
Description
Use the local-proxy-arp enable command to enable local proxy ARP.
Use the undo local-proxy-arp enable command to disable local proxy ARP.
By default, local proxy ARP is disabled.
Related commands: display local-proxy-arp.
Examples
# Enable local proxy ARP on VLAN-interface 2.
<Sysname> system-view
[Sysname] interface Vlan-interface 2
[Sysname-Vlan-interface2] local-proxy-arp enable
2.1.4 proxy-arp enable
Syntax
proxy-arp enable
undo proxy-arp enable
View
VLAN interface view
Default Level
2: System level
Parameters
None
Description
Use the proxy-arp enable command to enable proxy ARP.
Use the undo proxy-arp enable command to disable proxy ARP.
By default, proxy ARP is disabled.
With this command enabled, the device can implement layer 3 communication between two hosts that have IP addresses in the same subnet but connect to different VLAN interfaces.
Related commands: display proxy-arp.
Examples
# Enable proxy ARP on VLAN-interface 2.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] proxy-arp enable
