With the ARP entry checking function enabled, the switch cannot learn any ARP entry with a multicast MAC address. Configuring such a static ARP entry is not allowed either; otherwise, the system prompts error information.

After the ARP entry checking function is disabled, the switch can learn the ARP entry with a multicast MAC address, and you can also configure such a static ARP entry on the switch.

By default, the ARP entry checking function is enabled.

Examples

# Disable the ARP entry checking function.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] undo arp check enable

arp send-gratuitous enable vrrp

Syntax

arp send-gratuitous enable vrrp

undo arp send-gratuitous enable vrrp

View

System view

Parameters

None

Description

Use the arp send-gratuitous enable vrrp command to enable the master switch of a VRRP backup group to send gratuitous ARP packets periodically. Upon receiving the gratuitous ARP packets, hosts on the network update their respective ARP tables. This can prevent other devices on the network from using the same IP address as the VRRP backup group.

Use the undo arp send-gratuitous enable vrrp command to disable this function.

By default, this function is enabled.

Examples

# Enable the master switch of the VRRP backup group to send gratuitous ARP packets periodically.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] arp send-gratuitous enable vrrp

arp static

Syntax

arp static ip-address mac-address [ vlan-id interface-type interface-number ]

arp static ip-address mac-address vlan-id (in Ethernet port view)

undo arp ip-address

View

System view, Ethernet port view

Parameters

ip-address: IP address contained in the ARP mapping entry to be created/removed.

mac-address: MAC address contained in the ARP mapping entry to be created, in the format of H-H-H.

vlan-id: ID of the VLAN to which the static ARP entry belongs, in the range of 1 to 4,094.

interface-type: Type of the port to which the static ARP entry belongs.

interface-number: Number of the port to which the static ARP entry belongs.

Description

Use the arp static command to create a static ARP entry.

Use the undo arp command to remove an ARP entry.

By default, the system ARP mapping table is empty and the address mapping entries are obtained by ARP dynamically.

Note that:

l Static ARP entries are valid as long as the Ethernet switch operates normally. But some operations, such as removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP entries invalid and therefore removed automatically.

l As for the arp static command, the value of the vlan-id argument must be the ID of an existing VLAN, and the port identified by the interface-type and interface-number arguments must belong to the VLAN.

l Currently, static ARP entries cannot be configured on the ports of an aggregation group.

Related commands: reset arp, display arp.

Examples

# Create a static ARP mapping entry, with the IP address of 202.38.10.2, the MAC address of 000f-e20f-0000. The ARP mapping entry belongs to Ethernet 1/0/1 which belongs to VLAN 1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] arp static 202.38.10.2 000f-e20f-0000 1 Ethernet 1/0/1

arp timer aging

Syntax

arp timer aging aging-time

undo arp timer aging

View

System view

Parameters

aging-time: Aging time (in minutes) of the dynamic ARP entries. This argument ranges from 1 to 1,440.

Description

Use the arp timer aging command to configure the aging time for dynamic ARP entries.

Use the undo arp timer aging command to restore the default.

By default, the aging time for dynamic ARP entries is 20 minutes.

Related commands: display arp timer aging.

Examples

# Configure the aging time to be 10 minutes for dynamic ARP entries.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] arp timer aging 10

display arp

Syntax

display arp [ dynamic | static | ip-address ]

View

Any view

Parameters

dynamic: Displays dynamic ARP entries.

static: Displays static ARP entries.

ip-address: IP address. ARP entries containing the IP address are to be displayed.

Description

Use the display arp command to display specific ARP entries.

If you execute this command with no keyword/argument specified, all the ARP entries are displayed.

Related commands: arp static, reset arp.

Examples

# Display all the ARP entries.

<Sysname> display arp

Type: S-Static D-Dynamic

IP Address MAC Address VLAN ID Port Name / AL ID Aging Type

10.2.72.162 000a-000a-0aaa N/A N/A N/A S

192.168.0.77 0000-e8f5-6a4a 1 Ethernet1/0/2 13 D

192.168.0.2 000d-88f8-4e88 1 Ethernet1/0/2 14 D

192.168.0.200 0014-222c-9d6a 1 Ethernet1/0/2 14 D

192.168.0.45 000d-88f6-44c1 1 Ethernet1/0/2 15 D

192.168.0.110 0011-4301-991e 1 Ethernet1/0/2 15 D

192.168.0.32 0000-e8f5-73ee 1 Ethernet1/0/2 16 D

192.168.0.3 0014-222c-aa69 1 Ethernet1/0/2 16 D

192.168.0.17 000d-88f6-379c 1 Ethernet1/0/2 17 D

192.168.0.115 000d-88f7-9f7d 1 Ethernet1/0/2 18 D

192.168.0.43 000c-760a-172d 1 Ethernet1/0/2 18 D

192.168.0.33 000d-88f6-44ba 1 Ethernet1/0/2 20 D

192.168.0.35 000f-e20f-2181 1 Ethernet1/0/2 20 D

192.168.0.5 000f-3d80-2b38 1 Ethernet1/0/2 20 D

--- 14 entries found ---

Table 1-1 Description on the fields of the display arp command

Field	Description
IP Address	IP address contained in an ARP entry
MAC Address	MAC address contained in an ARP entry
VLAN ID	ID of the VLAN which an ARP entry corresponds to
Port Name / AL ID	Port which an ARP entry corresponds to
Aging	Aging time (in minutes) of an ARP entry N/A is displayed for static ARP entries.
Type	Type of an ARP entry: D for dynamic, and S for static.

display arp |

Syntax

display arp [ dynamic | static] | { begin | exclude | include } regular-expression

View

Any view

Parameters

dynamic: Displays dynamic ARP entries.

static: Displays static ARP entries.

|: Uses a regular expression to specify the ARP entries to be displayed. For detailed information about regular expressions, refer to Configuration File Management Command in this manual.

begin: Displays the first ARP entry containing the specified string and all subsequent ARP entries.

exclude: Displays the ARP entries that do not contain the specified string.

include: Displays the ARP entries containing the specified string.

regular-expression: A case-sensitive character string.

Description

Use the display arp | command to display the ARP entries related to string in a specified way.

Related commands: arp static, reset arp.

Examples

# Display all the ARP entries that contain the string 77.

<Sysname> display arp | include 77

Type: S-Static D-Dynamic

IP Address MAC Address VLAN ID Port Name / AL ID Aging Type

192.168.0.77 0000-e8f5-6a4a 1 Ethernet1/0/2 12 D

--- 1 entry found ---

# Display all the ARP entries that do not contain the string 68.

<Sysname> display arp | exclude 68

Type: S-Static D-Dynamic

IP Address MAC Address VLAN ID Port Name / AL ID Aging Type

10.2.72.162 000a-000a-0aaa N/A N/A N/A S

--- 1 entry found ---

Refer to Table 1-1 for the description on the above output information.

display arp count

Syntax

display arp count [ [ dynamic | static ] [ | { begin | exclude | include } regular-expression ] | ip-address ]

View

Any view

Parameters

dynamic: Counts the dynamic ARP entries.

static: Counts the static ARP entries.

|: Uses a regular expression as the match criterion. For detailed information about regular expressions, refer to Configuration File Management Command in this manual.

begin: Displays the number of ARP entries counted from the first one containing the specified string.

exclude: Displays the number of ARP entries that do not contain the specified string.

include: Displays the number of ARP entries containing the specified string.

regular-expression: A case-sensitive character string.

ip-address: IP address. The ARP entries containing the IP address are to be displayed.

Description

Use the display arp count command to display the number of the specified ARP entries. If no parameter is specified, the total number of ARP entries is displayed.

Related commands: arp static, reset arp.

Examples

# Display the total number of ARP entries.

<Sysname> display arp count

14 entries found

display arp timer aging

Syntax

display arp timer aging

View

Any view

Parameters

None

Description

Use the display arp timer aging command to display the setting of the ARP aging time.

Related commands: arp timer aging.

Examples

# Display the setting of the ARP aging time.

<Sysname> display arp timer aging

Current ARP aging time is 20 minute(s)(default)

The displayed information shows that the ARP aging time is set to 20 minutes.

gratuitous-arp period-resending enable

Syntax

gratuitous-arp period-resending enable

undo gratuitous-arp period-resending enable

View

VLAN interface view

Parameters

None

Description

Use the gratuitous-arp period-resending enable command to enable the VLAN interface to send gratuitous ARP packets periodically.

Use the undo gratuitous-arp period-resending enable command to disable this function.

By default, this function is enabled, the gratuitous ARP packets are sent at an interval of 30 seconds.

After you enable a VLAN interface to send gratuitous ARP packets periodically, hosts on the network will timely update the ARP entry corresponding to the VLAN interface’s IP address, thus preventing it from being aged out. However, this function generates a large amount of ARP packets on the network; you can disable the VLAN interface from sending gratuitous ARP packets if receiving hosts can update a dynamic ARP entry when half of the entry’s aging time expires.

Examples

# Disable VLAN-interface 1 on the switch from periodically sending gratuitous ARP packets.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] undo gratuitous-arp period-resending enable

gratuitous-arp-learning enable

Syntax

gratuitous-arp-learning enable

undo gratuitous-arp-learning enable

View

System view

Parameters

None

Description

Use the gratuitous-arp-learning enable command to enable the gratuitous ARP packet learning function. Then, a switch receiving a gratuitous ARP packet can add the IP and MAC addresses carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry for the ARP packet in the cache.

Use the undo gratuitous-arp-learning enable command to disable the gratuitous ARP packet learning function.

By default, the gratuitous ARP packet learning function is enabled.

Examples

# Enable the gratuitous ARP packet learning function on a switch.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] gratuitous-arp-learning enable

reset arp

Syntax

reset arp [ dynamic | static | interface interface-type interface-number ]

View

User view

Parameters

dynamic: Clears dynamic ARP entries.

static: Clears static ARP entries.

interface interface-type interface-number: Clears ARP entries of the specified port.

Description

Use the reset arp command to clear specific ARP entries.

Related commands: arp static, display arp.

Examples

# Clear static ARP entries.

<Sysname> reset arp static

2 ARP Attack Defense Configuration Commands

ARP Attack Defense Configuration Commands

arp anti-attack valid-check enable

Syntax

arp anti-attack valid-check enable

undo arp anti-attack valid-check enable

View

System view

Parameters

None

Description

Use the arp anti-attack valid-check enable command to enable ARP source MAC address consistency check.

Use the undo arp anti-attack valid-check enable command to disable this function.

By default, ARP source MAC address consistency check is disabled.

Examples

# Enable ARP source MAC address consistency check.

<Sysname> system-view

[Sysname] arp anti-attack valid-check enable

arp detection enable

Syntax

arp detection enable

undo arp detection enable

View

VLAN view

Parameters

None

Description

Use the arp detection enable command to enable the ARP attack detection function on all ports in the specified VLAN. When receiving an ARP packet from a port in this VLAN, the switch will check the source IP address, source MAC address, number of the receiving port, and the VLAN of the port. If the mapping of the source IP address and source MAC address is not included in the DHCP snooping entries or IP static binding entries, or the number of the receiving port and the VLAN of the port do not match the DHCP snooping entries or IP static binding entries, the ARP packet will be discarded.

Use the undo arp detection enable command to disable the ARP attack detection function on all ports in the specified VLAN.

By default, ARP attack detection is disabled on the switch.

Examples

# Enable ARP attack detection on all ports in VLAN 1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] vlan 1

[Sysname-vlan1] arp detection enable

arp detection trust

Syntax

arp detection trust

undo arp detection trust

View

Ethernet port view

Parameters

None

Description

Use the arp detection trust command to specify the current port as a trusted port, that is, ARP packets received on this port are regarded as legal ARP packets and will not be checked.

Use the undo arp detection trust command to specify the current port as an untrusted port in ARP detection.

By default, a port is an untrusted port in ARP detection.

Examples

# Specify Ethernet 1/0/11 as the trusted port in ARP detection.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet 1/0/11

[Sysname-Ethernet1/0/11] arp detection trust

arp filter source

Syntax

arp filter source ip-address

undo arp filter source

View

Ethernet port view

Parameters

ip-address: IP address of the gateway.

Description

Use the arp filter source command to configure ARP packet filtering based on the gateway’s IP address on the current port working as the downstream port connected to a host. After that, ARP packets from the host with the gateway’s IP address as the sender IP address are considered invalid and discarded.

Use the undo arp filter source command to remove the configuration.

By default, ARP packet filtering based on the gateway’s IP address is disabled.

Note that:

l This command should be configured on a port directly connected to hosts.

l If you execute this command repeatedly, the last configured command takes effect.

Examples

# Configure ARP packet filtering based on the gateway’s IP address 192.168.0.1/24 on Ethernet 1/0/1.

<Sysname> system-view

[Sysname] interface ethernet1/0/1

[Sysname-Ethernet1/0/1] arp filter source 192.168.0.1

arp filter binding

Syntax

arp filter binding ip-address mac-address

undo arp filter binding

View

Ethernet port view

Parameters

ip-address: IP address of the gateway.

mac-address: MAC address of the gateway.

Description

Use the arp filter binding command to configure ARP packet filtering based on the gateway’s IP and MAC addresses on the current port. After that, the port will discard ARP packets with the gateway’s IP address as the sender IP address but with the sender MAC address different from that of the gateway.

Use the undo arp filter binding command to remove the configuration.

By default, ARP packet filtering based on the gateway’s IP and MAC addresses are disabled.

Note that:

l This command should be configured on a cascaded port or upstream port of an access switch.

l If you execute this command repeatedly, the last configured command takes effect.

Examples

# Configure ARP packet filtering based on the gateway’s IP address 192.168.100.1/24 and MAC address 000d-88f8-528c on Ethernet 1/0/2.

<Sysname> system-view

[Sysname] interface ethernet1/0/2

[Sysname-Ethernet1/0/2] arp filter binding 192.168.100.1 000d-88f8-528c

arp max-learning-num

Syntax

arp max-learning-num number

undo arp max-learning-num

View

VLAN interface view

Parameters

number: Maximum number of dynamic ARP entries that can be learned by the interface. The effective range of an S3600-EI switch is 1 to 4,031. The effective range of an S3600-SI switch is 1 to 2,048.

Description

Use the arp max-learning-num command to configure the maximum number of dynamic ARP entries that can be learned by the current VLAN interface.

Use the undo arp max-learning-num command to remove the configuration.

By default, the maximum number of dynamic ARP entries that can be learned by a VLAN interface is 4,031 for an S3600-EI switch, and 2,048 for an S3600-SI switch.

If you execute this command repeatedly, the last configured command takes effect.

Examples

# Configure the maximum number of dynamic ARP entries that can be learned by VLAN-interface 40 as 500.

<Sysname> system-view

[Sysname] interface vlan-interface 40

[Sysname-Vlan-interface40] arp max-learning-num 500

arp protective-down recover enable

Syntax

arp protective-down recover enable

undo arp protective-down recover enable

View

System view

Parameters

None

Description

Use the arp protective-down recover enable command to enable the port state auto-recovery function on the switch.

Use the undo arp protective-down recover enable command to disable the port state auto-recovery function of a switch.

With this function enabled, the switch can automatically bring up a port that has been shut down due to an excessive ARP packet receiving rate after a specified period.

By default, the port state auto-recovery function is disabled.

Examples

# Enable the port state auto-recovery function of the switch.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] arp protective-down recover enable

arp protective-down recover interval

Syntax

arp protective-down recover interval interval

undo arp protective-down recover interval

View

System view

Parameters

interval: Recovery time (in seconds) of a port which is shut down due to an excessive ARP packet receiving rate. The effective range is 10 to 86,400.

Description

Use the arp protective-down recover interval command to specify a recovery interval. After the interval, a port that has been shut down due to an excessive ARP packet receiving rate will be brought up.

Use the undo arp protective-down recover interval command to restore the default.

By default, when the port state auto-recovery function is enabled, the recovery interval is 300 seconds.

Note that:

l You need to enable the port state auto-recovery feature before you can configure the auto-recovery interval.

l If you use the arp protective-down recover interval command to modify the recovery time when the current port has been already shut down due to an excessive ARP packet receiving rate, the previously configured interval applies to the first port state recovery. Starting from the next state recovery, the new recovery interval will take effect.

Examples

# Set the auto-recovery interval to 30 seconds.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] arp protective-down recover enable

[Sysname] arp protective-down recover interval 30

arp rate-limit

Syntax

arp rate-limit rate

undo arp rate-limit

View

Ethernet port view

Parameters

rate: Maximum ARP packet receiving rate on the port, in the range of 10 to 1,024 pps.

Description

Use the arp rate-limit command to specify the maximum ARP packet receiving rate on the port. If a rate is specified, exceeding packets will be discarded.

Use the undo arp rate-limit command to restore the default.

By default, after a port is enabled with the ARP packet rate limit function, the maximum ARP packet receiving rate on the port is 15 pps.

Note that:

You must enable the ARP packet rate limit function before you can specify the maximum ARP packet receiving rate on the port by using the arp rate-limit command.

Examples

# Set the maximum ARP packet receiving rate on Ethernet 1/0/11 to 100 pps.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface ethernet 1/0/11

[Sysname-Ethernet1/0/11] arp rate-limit enable

[Sysname-Ethernet1/0/11] arp rate-limit 100

arp rate-limit enable

Syntax

arp rate-limit enable

undo arp rate-limit enable

View

Ethernet port view

Parameters

None

Description

Use the arp rate-limit enable command to enable the ARP packet rate limit function on the port, that is, to limit the rate of ARP packets passing through the port. If a rate (the maximum ARP packet rate is 15 pps by default) is specified, exceeding ARP packets will be discarded.

Use the undo arp rate-limit enable command to disable the ARP packet rate limit function on the port.

By default, the ARP packet rate limit function is disabled, that is, ARP packet rate is not limited on a port.

Examples

# Enable the ARP packet rate limit function on Ethernet 1/0/11.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet 1/0/11

[Sysname-Ethernet1/0/11] arp rate-limit enable

arp restricted-forwarding enable

Syntax

arp restricted-forwarding enable

undo arp restricted-forwarding enable

View

VLAN view

Parameters

None

Description

Use the arp restricted-forwarding enable command to enable ARP restricted forwarding so that the legal ARP requests received from the untrusted port of specified VLAN are forwarded through configured trusted ports only, and the legal ARP responses coming from untrusted port are forwarded according to the MAC addresses in the packets, or through trusted ports if the MAC address table contains no such destination MAC addresses.

Use the undo arp restricted-forwarding enable command to disable ARP restricted forwarding.

By default, ARP restricted forwarding is disabled.

Related commands: arp detection enable, arp detection trust

Syntax

# Enable ARP restricted forwarding in VLAN 1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] vlan 1

[Sysname-vlan1] arp restricted-forwarding enable

display arp detection statistics interface

Syntax

display arp detection statistics interface interface-type interface-number

View

Any view

Parameters

interface-type interface-number: Type and number of a port.

Description

Use the display arp detection statistics interface command to display the statistics of ARP attack detection state, ARP trusted port state, and discarded invalid ARP packets ( those failed to pass ARP attack detection) on the specified port.

If ARP attack detection is disabled, the statistics of ARP trusted port state and discarded invalid ARP packets will not be displayed.

Examples

# Display ARP detection statistics on Ethernet 1/0/10.

<Sysname> display arp detection statistics interface ethernet1/0/10

ARP DETECTION : ENABLE

ARP PORT TRUST : DISABLE

INVALID ARP PACKETS : 31

Table 2-1 Description on the fields of the display arp detection statistics interface command

Field	Description
ARP DETECTION	ARP attack detection state: enabled/disabled
ARP PORT TRUST	ARP trusted port state: enabled/disabled
INVALID ARP PACKETS	Number of discarded invalid ARP packets (those failed to pass ARP attack detection)

ip source static import dot1x

Syntax

ip source static import dot1x

undo ip source static import dot1x

View

System view

Parameters

None

Description

Use the ip source static import dot1x command to enable ARP attack detection based on IP-to-MAC mappings of authenticated 802.1x clients. Enabled with this function, switch records mappings between IP addresses (both static and dynamic IP addresses) and MAC addresses of authenticated 802.1x clients and uses the mappings for ARP attack detection after IP-to-MAC static bindings and DHCP snooping entries are checked.

Use the undo ip source static import dot1x command to disable the function.

By default, this function is disabled.

Note that this command should be used in cooperation with the arp detection enable command.

Examples

# Enable the switch to record IP-to-MAC bindings of authenticated 802.1x clients.

<Sysname> system-view

[Sysname] ip source static import dot1x

3 Proxy ARP Configuration Commands

Proxy ARP Configuration Commands

arp proxy enable

Syntax

arp proxy enable

undo arp proxy enable

View

VLAN interface view

Parameters

None

Description

Use the arp proxy enable command to enable common proxy ARP on the VLAN interface.

Use the undo arp proxy enable command to disable common proxy ARP on the VLAN interface.

By default, common proxy ARP is disabled on the VLAN interfaces of a switch.

Related commands: display arp proxy.

Examples

# Enable common proxy ARP on VLAN-interface 2.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Vlan-interface 2

[Sysname-Vlan-interface2] arp proxy enable

display arp proxy

Syntax

display arp proxy [ interface Vlan-interface vlan-id ]

View

Any view

Parameters

interface vlan-interface vlan-id: Displays the common and local proxy ARP state on a VLAN interface.

Description

Use the display arp proxy command to display common and local proxy ARP state: enabled/disabled.

If interface vlan-interface vlan-id is specified, common and local proxy ARP configuration of the specified VLAN interface is displayed; otherwise, common and local proxy ARP configuration of all the VLAN interfaces is displayed.

Related commands: arp proxy enable.

Examples

# Display the common and local proxy ARP status on all VLAN interfaces.

<Sysname> display arp proxy

Interface Vlan-interface1

Proxy ARP status: disabled

Local Proxy ARP status: disabled

Local Proxy ARP StartIPAddr: 0.0.0.0

Local Proxy ARP EndIPAddr: 0.0.0.0

Interface Vlan-interface2

Proxy ARP status: enabled

Local Proxy ARP status: disabled

Local Proxy ARP StartIPAddr: 0.0.0.0

Local Proxy ARP EndIPAddr: 0.0.0.0

# Display the common and local proxy ARP status on VLAN-interface 2.

<Sysname> display arp proxy interface Vlan-interface 2

Interface Vlan-interface2

Proxy ARP status: enabled

Local Proxy ARP status: disabled

Local Proxy ARP StartIPAddr: 0.0.0.0

Local Proxy ARP EndIPAddr: 0.0.0.0

Table 3-1 Description on the fields of the display arp proxy command

Field	Description
Interface	VLAN interface name
Proxy ARP status	Common proxy ARP status: enabled/disabled
Local proxy ARP status	Local proxy ARP status: enabled/disabled
Local Proxy ARP StartIPAddr	The start IP address of local proxy ARP
Local Proxy ARP EndIPAddr	The end IP address of local proxy ARP

local-proxy-arp enable

Syntax

local-proxy-arp enable [ ip-range startIP to endIP ]

undo local-proxy-arp enable

View

VLAN interface view

Parameters

ip-range startIP to endIP: Specifies the IP address range for which local proxy ARP is enabled. The start IP address must be lower than or equal to the end IP address.

Description

Use the local-proxy-arp enable command to enable local proxy ARP on the VLAN interface.

Use the undo local-proxy-arp enable command to disable local proxy ARP on the VLAN interface.

By default, local proxy ARP is disabled on the VLAN interfaces of a switch.

Examples

# Enable local proxy ARP on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] local-proxy-arp enable

# Enable local proxy ARP on VLAN-interface 2 for a specific IP address range.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] local-proxy-arp enable ip-range 1.1.1.1 to 1.1.1.20

4 Resilient ARP Configuration Commands

The contents of this chapter are only applicable to the S3600-EI series among S3600 Series Ethernet Switches.

Resilient ARP Configuration Commands

display resilient-arp

Syntax

display resilient-arp [ unit unit-id ]

View

Any view

Parameters

unit unit-id: Unit ID ranging from 1 to 8. If a switch belongs to a fabric, resilient ARP information on specific devices in the fabric can be displayed. The unit-id argument specifies the number of a device about which the resilient ARP information is to be displayed.

Description

Use the display resilient-arp command to display the Resilient ARP state information of each unit and the VLAN interface that can transmit Resilient ARP packets.

If the unit-id argument is not specified, this command is to display the Resilient ARP state information of all units. If the unit-id argument is specified, this command is to display the Resilient ARP state information of the specified unit.

Examples

# Display the information about the Resilient ARP state of unit 1.

<Sysname> display resilient-arp unit 1

The state of unit 1 is: L3Master

The sending interface(s):

Vlan-interface1

Vlan-interface2

The above output information means that the current Resilient ARP state of unit 1 is L3Master, and VLAN interfaces through which the Resilient ARP packets are sent are VLAN-interface 1 and VLAN-interface 2.

resilient-arp enable

Syntax

resilient-arp enable

undo resilient-arp enable

View

System view

Parameters

None

Description

Use the resilient-arp enable command to enable the Resilient ARP function. The switch will adopt different methods based on the actual status. If the main link in the fabric breaks, the switch sends resilient ARP packets through the VLAN interface on the backup link to determine whether it should act as a Layer 3 or Layer 2 device.

Use the undo resilient-arp enable command to disable the Resilient ARP function.

By default, the Resilient ARP function is enabled.

Related commands: display resilient-arp.

Examples

# Enable the Resilient ARP function.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] resilient-arp enable

resilient-arp interface vlan-interface

Syntax

resilient-arp interface Vlan-interface vlan-id

undo resilient-arp interface Vlan-interface vlan-id

View

System view

Parameters

vlan-id: VLAN interface ID.

Description

Use the resilient-arp interface Vlan-interface command to enable the VLAN interface to send Resilient ARP packets.

Use the undo resilient-arp interface Vlan-interface command to disable the VLAN interface from sending Resilient ARP packets.

By default, Resilient ARP packets are sent through VLAN-interface 1.

Note that this command is used to enable a VLAN interface to send Resilient ARP packets, while all VLAN interfaces can receive Resilient ARP packets.

Related commands: display resilient-arp.

Examples

# Configure the Resilient ARP packets to be sent from the VLAN-interface 2.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] resilient-arp interface vlan-interface 2

5 MFF Configuration Commands

MFF Configuration Commands

arp mac-forced-forwarding

Syntax

arp mac-forced-forwarding { auto | default-gateway gateway-ip }

undo arp mac-forced-forwarding { auto | default-gateway }

View

VLAN view

Parameter

auto: Specifies the automatic mode.

default-gateway gateway-ip: Specifies the IP address of the default gateway in the manual mode.

Description

Use the arp mac-forced-forwarding command to enable MFF and specify an MFF operating mode. To specify the manual mode, you need to specify a default gateway.

Use the arp undo mac-forced-forwarding command to disable MFF.

By default, MFF is disabled.

Note that:

l If you execute this command repeatedly, the last configuration takes effect.

l If the auto keyword is specified, make sure that DHCP snooping works normally.

Example

# Enable MFF in the automatic mode for VLAN 1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] vlan 1

[Sysname-vlan1] arp mac-forced-forwarding auto

arp mac-forced-forwarding network-port

Syntax

arp mac-forced-forwarding network-port

undo arp mac-forced-forwarding network-port

View

Ethernet port view

Parameter

None

Description

Use the arp mac-forced-forwarding network-port command to configure the current port as an MFF network port.

Use the undo arp mac-forced-forwarding network-port command to remove the current port as an MFF network port.

By default, no Ethernet port of the switch is configured as an MFF network port.

Note that, if the current Ethernet port is an MFF user port, you need to remove the user port configuration before you can configure the port as an MFF network port.

Example

# Configure Ethernet1/0/1 as an MFF network port.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] arp mac-forced-forwarding network-port

arp mac-forced-forwarding server

Syntax

arp mac-forced-forwarding server server-ip&<1-10>

undo arp mac-forced-forwarding server [ server-ip&<1-10> ]

View

VLAN view

Parameter

server-ip: IP address of a server. &<1-10> means you can specify up to ten server IP addresses in one command line.

Description

Use the arp mac-forced-forwarding server command to specify the IP addresses of servers.

Use the undo arp mac-forced-forwarding server command to remove the specified server IP addresses. If no parameter is specified, all the server IP addresses are removed.

By default, no server IP address is specified.

Note that:

l For communication between hosts and a server, you need to use this command to specify the server’s IP address in either MFF manual or automatic mode.

l If MFF automatic mode is enabled and the gateway and DHCP server do not run on the same device, you need to use this command to specify the IP address of the DHCP server.

l If a VRRP group serves as an MFF gateway, you need to specify all the IP addresses of the switches in the VRRP group using this command.

l MFF does not check whether the IP address of a server is on the same network segment as that of a gateway; instead, it verifies that the IP address of a server is not all-zero or all-one. An all-zero or all-one server IP address is invalid.

Example

# Specify the server at 192.168.1.100.

<Sysname> system-view

[Sysname] vlan 1

[Sysname-vlan1] arp mac-forced-forwarding server 192.168.1.100

arp mac-forced-forwarding user-port

Syntax

arp mac-forced-forwarding user-port

undo arp mac-forced-forwarding user-port

View

Ethernet port view

Parameter

None

Description

Use the arp mac-forced-forwarding user-port command to configure the current port as an MFF user port.

Use the undo arp mac-forced-forwarding user-port command to remove the current port as an MFF user port.

By default, no Ethernet port of the switch is configured as an MFF user port.

Note the following:

l If the current Ethernet port is an MFF network port, you need to remove the network port configuration before you can configure it as an MFF user port.

l IP filtering must be enabled on a port before the port can be configured as an MFF user port. IP filtering cannot be disabled on an as-configured MFF user port.

Example

# Configure Ethernet1/0/2 as an MFF user port.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet 1/0/2

[Sysname-Ethernet1/0/2] arp mac-forced-forwarding user-port

display arp mac-forced-forwarding interface

Syntax

display arp mac-forced-forwarding interface

View

Any view

Parameter

None

Description

Use the display arp mac-forced-forwarding interface command to display the MFF port configuration information.

Related command: arp mac-forced-forwarding network-port, arp mac-forced-forwarding user-port

Example

# Display MFF port configuration information.

<Sysname> display arp mac-forced-forwarding interface

User Port:

-------------------------------------------------------------------------

Ethernet1/0/9

Network Port:

-------------------------------------------------------------------------

Ethernet1/0/2

Table 5-1 Description on the fields of the arp mac-forced-forwarding interface command

Field	Description
User Port	List of ports configured as user ports
Network Port	List of ports configured as network ports

display arp mac-forced-forwarding vlan

Syntax

display arp mac-forced-forwarding vlan [ vlan-id ]

View

Any view

Parameter

vlan-id: VLAN ID.

Description

Use the display arp mac-forced-forwarding vlan command to display the MFF configuration information of a specified VLAN. If no VLAN is specified, the number of VLANs enabled with MFF is displayed.

Related command: arp mac-forced-forwarding

Example

# Display the MFF address configuration number on the switch.

<Sysname> display arp mac-forced-forwarding vlan

Total Configuration Number: 4

Manual Mode Number: 3

-------------------------------------------------------------------------

VLAN 1 to 2, VLAN 5

Auto Mode Number: 1

-------------------------------------------------------------------------

VLAN 10

# Display the MFF configuration information of VLAN 1.

<Sysname> display arp mac-forced-forwarding vlan 1

VLAN 1

Mode : Manual

Gateway:

-------------------------------------------------------------------------

10.10.10.1 (N/A)

Server :

-------------------------------------------------------------------------

10.10.0.1

H3C S3600 Series Ethernet Switches Command Manual-Release 1702(V1.01)

display arp

display arp |

Proxy ARP Configuration Commands

arp proxy enable

5 MFF Configuration Commands

display arp mac-forced-forwarding interface

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us