Login
- Table of Contents
-
- 04-Layer 3 Configuration Guide
- 00-Preface
- 01-ARP Configuration
- 02-IP Addressing Configuration
- 03-DHCP Configuration
- 04-DHCPv6 Configuration
- 05-DNS Configuration
- 06-IPv6 DNS Configuration
- 07-NAT Configuration
- 08-Adjacency Table Configuration
- 09-Flow Classification Configuration
- 10-IPv6 Basics Configuration
- 11-IP Performance Optimization Configuration
- 12-IP Routing Basics
- 13-Static Routing Configuration
- 14-IPv6 Static Routing Configuration
- 15-GRE Configuration
- 16-RIP Configuration
- 17-RIPng Configuration
- 18-Policy-Based Routing Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-ARP Configuration | 182.58 KB |
Configuring a static ARP entry
Configuring the maximum number of dynamic ARP entries for an interface
Setting the aging timer for dynamic ARP entries
Enabling dynamic ARP entry check
Enabling natural mask support for ARP requests
Displaying and maintaining ARP
Enabling learning of gratuitous ARP packets
Configuring periodic sending of gratuitous ARP packets
Displaying and maintaining ARP snooping
ARP fast-reply configuration example
Configuring ARP
This chapter describes how to configure the Address Resolution Protocol (ARP).
Overview
ARP resolves IP addresses into physical addresses such as MAC addresses. On an Ethernet LAN, a device uses ARP to get the MAC address of the target device for a packet.
ARP message format
ARP uses two types of messages, ARP request and ARP reply. Figure 1 shows the format of the ARP request/reply. Numbers in the figure refer to field lengths.
· Hardware type—Hardware address type. The value 1 represents Ethernet.
· Protocol type—Type of the protocol address to be mapped. The hexadecimal value 0x0800 represents IP.
· Hardware address length and protocol address length—Length, in bytes, of a hardware address and a protocol address. For an Ethernet address, the value of the hardware address length field is 6. For an IPv4 address, the value of the protocol address length field is 4.
· OP—Operation code, which describes type of the ARP message. Value 1 represents an ARP request, and value 2 represents an ARP reply.
· Sender hardware address—Hardware address of the device sending the message.
· Sender protocol address—Protocol address of the device sending the message.
· Target hardware address—Hardware address of the device to which the message is being sent.
· Target protocol address—Protocol address of the device to which the message is being sent.
ARP operation
As shown in Figure 2, Host A and Host B are on the same subnet. Host A sends a packet to Host B as follows:
1. Host A looks through its ARP table for an ARP entry for Host B. If an entry is found, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.
2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request comprises the following information:
¡ Sender IP address and sender MAC address—Host A's IP address and MAC address
¡ Target IP address—Host B's IP address
¡ Target MAC address—An all-zero MAC address
All hosts on this subnet can receive the broadcast request, but only the requested host (Host B) processes the request.
3. Host B compares its own IP address with the target IP address in the ARP request. If they are the same, Host B:
a. Adds the sender IP address and sender MAC address into its ARP table.
b. Encapsulates its MAC address into an ARP reply.
c. Unicasts the ARP reply to Host A.
4. After receiving the ARP reply, Host A:
a. Adds the MAC address of Host B into its ARP table.
b. Encapsulates the MAC address into the packet and sends the packet to Host B.
Figure 2 ARP address resolution process
If Host A and Host B are on different subnets, Host A sends a packet to Host B, as follows:
1. Host A sends an ARP request to the gateway. The target IP address in the ARP request is the IP address of the gateway.
2. The gateway responds with its MAC address in an ARP reply to Host A.
3. Host A uses the gateway MAC address to encapsulate the packet and sends the packet to the gateway.
4. If the gateway has the ARP entry for Host B, it forwards the packet to Host B directly. If not, it broadcasts an ARP request, in which the target IP address is the IP address of Host B.
5. After obtaining the MAC address of Host B, the gateway sends the packet to Host B.
ARP table
An ARP table stores dynamic and static ARP entries.
Dynamic ARP entry
ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down, and it can be overwritten by a static ARP entry.
Static ARP entry
A static ARP entry is manually configured and maintained. It does not age out, and cannot be overwritten by a dynamic ARP entry.
Static ARP entries protect communication between devices, because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry.
Static ARP entries include long and short ARP entries.
· To configure a long static ARP entry, specify the IP address, MAC address, VLAN, and output interface. A long static ARP entry is directly used for forwarding matching packets. To communicate with a host by using a fixed IP-to-MAC mapping through a specific interface in a specific VLAN, configure a long static ARP entry on the device.
· To configure a short static ARP entry, you only need to specify the IP address and MAC address. If the output interface is a VLAN interface, the device first sends an ARP request whose target IP address is the IP address of the short entry. If the sender IP and MAC addresses in the received ARP reply match the IP and MAC addresses of the short static ARP entry, the device adds the interface receiving the ARP reply to the short static ARP entry, and then uses the resolved entry to forward the matching IP packets.
To communicate with a host by using a fixed IP-to-MAC mapping, configure a short static ARP entry on the device.
Configuring a static ARP entry
A static ARP entry is effective when the device works correctly. If a VLAN or VLAN interface is deleted, all long static ARP entries in the VLAN are deleted, and all resolved short static ARP entries in the VLAN becomes unresolved.
Follow these guidelines when you configure a long static ARP entry:
· The vlan-id argument must be the ID of an existing VLAN where the ARP entry resides. The specified Ethernet interface must belong to that VLAN. The VLAN interface of the VLAN must be created.
· The IP address of the VLAN interface of the VLAN specified by the vlan-id argument must belong to the same subnet as the IP address specified by the ip-address argument.
To configure a static ARP entry:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure a static ARP entry. |
· Configure a long static ARP entry: · Configure a short static ARP entry: |
Use either command. |
Configuring the maximum number of dynamic ARP entries for an interface
An interface can dynamically learn ARP entries. , To prevent an interface from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the interface can learn. When the maximum number is reached, the interface stops learning ARP entries.
A Layer 2 interface can learn an ARP entry only when both its maximum number and the VLAN interface's maximum number are not reached.
To set the maximum number of dynamic ARP entries that an interface can learn:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Set the maximum number of dynamic ARP entries that the interface can learn. |
arp max-learning-num number |
Optional. By default, a Layer 2 interface does not limit the number of dynamic ARP entries. The maximum number of dynamic ARP entries that a Layer 3 interface can learn varies with devices. For more information, see About the H3C Access Controllers Command References. If the value of the number argument is set to 0, the interface is disabled from learning dynamic ARP entries. |
Setting the aging timer for dynamic ARP entries
Each dynamic ARP entry in the ARP table has a limited lifetime, called aging timer. The aging timer of a dynamic ARP entry is reset each time the dynamic ARP entry is updated. Dynamic ARP entries that are not updated before their aging timers expire are deleted from the ARP table.
To set the aging timer for dynamic ARP entries:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the aging timer for dynamic ARP entries. |
arp timer aging aging-time |
Optional. 20 minutes by default. |
Enabling dynamic ARP entry check
The dynamic ARP entry check function controls whether the device supports dynamic ARP entries with multicast MAC addresses.
When dynamic ARP entry check is enabled, the device cannot learn dynamic ARP entries containing multicast MAC addresses.
When dynamic ARP entry check is disabled, the device can learn dynamic ARP entries containing multicast MAC addresses.
To enable dynamic ARP entry check:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable dynamic ARP entry check. |
arp check enable |
Optional. Enabled by default. |
Enabling natural mask support for ARP requests
This feature enables the device to learn the sender IP and MAC addresses in a received ARP request whose sender IP address is on the same classful network as, but a different subnet from, the IP address of the receiving interface. A classful network refers to a class A, B, or C network.
For example, VLAN-interface 10 with IP address 10.10.10.5/24 receives an ARP request from 10.11.11.1/8. Because the subnet address calculated by the AND operation of 10.11.11.1 and the 24-bit subnet mask of the receiving interface is not in the subnet 10.10.10.5/24, VLAN-interface 10 cannot process the ARP packet.
With this feature enabled, the device calculates the subnet address by using the default mask of the class A network where 10.10.10.5/24 resides. Because 10.10.10.5/24 is on the same class A network as 10.11.11.1/8, VLAN-interface 10 can learn the sender IP and MAC addresses in the request.
To enable natural mask support for ARP requests:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable natural mask support for ARP requests. |
naturemask-arp enable |
Disabled by default. |
Displaying and maintaining ARP
|
|
CAUTION: Clearing ARP entries might interrupt sessions that use those ARP entries. |
|
Task |
Command |
Remarks |
|
Display ARP entries in the ARP table. |
display arp [ [ all | dynamic | static ] | vlan vlan-id | interface interface-type interface-number ] [ count ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the ARP entry for a specific IP address. |
display arp ip-address [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the aging timer of dynamic ARP entries. |
display arp timer aging [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Clear ARP entries from the ARP table. |
reset arp { all | dynamic | static | interface interface-type interface-number } |
Available in user view. |
ARP configuration example
ACs have either 10 GE or GE interfaces. Table 1 identifies the Ethernet interfaces (GigabitEthernet 1/0/1, in this example) on different types of ACs.
If the AC is an AC module installed on a switch, make sure the internal Ethernet interface that connects the switch to the AC module has correct settings, including in particular VLAN settings.
Table 1 AC Ethernet interfaces
|
Hardware |
AC Ethernet interfaces |
|
AC modules (installed in a switch) |
|
|
LSQM1WCMD0 LSRM1WCM3A1 LSUM3WCMD0 LSUM1WCME0 |
The internal Ethernet interface that connects the AC module to the switch. |
|
Wireless switches |
|
|
WX3024E WX3010E |
The internal Ethernet interface that connects the AC engine to the switching engine. |
|
ACs |
|
|
WX6103 |
The internal Ethernet interface that connects the main control board to the switching board. |
|
WX5002V2 WX5004 WX3510E WX3540E WX5510E |
Any Ethernet interfaces on the AC. |
|
WX2540E WAC360 WAC361 |
Any LAN or WAN interfaces on the AC. |
|
WX5540E |
The internal Ethernet interface that connects the AC engine to the switching engine. |
Configuration procedure
# Enable the ARP entry check.
<Sysname> system-view
[Sysname] arp check enable
# Set the age time to 10 minutes for dynamic ARP entries.
[Sysname] arp timer aging 10
# Enable Natural Mask support for ARP requests.
[Sysname] naturemask-arp enable
# Specify VLAN-interface 10 to learn a maximum of 1000 dynamic ARP entries.
[Sysname] vlan 10
[Sysname-vlan10] quit
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port access vlan 10
[Sysname-GigabitEthernet1/0/1] quit
[Sysname] interface vlan-interface 10
[Sysname-vlan-interface10] arp max-learning-num 1000
[Sysname-vlan-interface10] quit
# Add a static ARP entry, with the IP address 192.168.1.1/24, the MAC address 00e0-fc01-0000, and the outbound interface GigabitEthernet 1/0/1 of VLAN 10.
[Sysname] arp static 192.168.1.1 00e0-fc01-0000 10 gigabitethernet 1/0/1
Configuring gratuitous ARP
Overview
In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device.
A device sends a gratuitous ARP packet for either of the following purposes:
· Determine whether its IP address is already used by another device. If the IP address is already used, the device is informed of the conflict by an ARP reply.
· Inform other devices of a change of its MAC address.
Enabling learning of gratuitous ARP packets
This feature enables a device to create or update ARP entries by using the sender IP and MAC addresses in received gratuitous ARP packets.
With this feature disabled, the device uses the received gratuitous ARP packets to update only existing ARP entries.
Configuring periodic sending of gratuitous ARP packets
Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their corresponding ARP entries or MAC entries in time. You can use this feature can be used to prevent gateway spoofing, prevent ARP entries from aging out, and prevent the virtual IP address of a VRRP group from being used by a host.
· Prevent gateway spoofing.
An attacker can use the gateway address to send gratuitous ARP packets to the hosts on a network so that the traffic destined for the gateway from the hosts is sent to the attacker instead. As a result, the hosts cannot access the external network.
To prevent such gateway spoofing attacks, you can enable the gateway to send gratuitous ARP packets containing its primary IP address and manually configured secondary IP addresses at a specific interval, so hosts can learn correct gateway address information.
· Prevent ARP entries from aging out.
If network traffic is heavy or if a host's CPU usage is high, received ARP packets might be discarded or might not be processed in time. Eventually, the dynamic ARP entries on the receiving host age out, and the traffic between the host and the corresponding devices is interrupted until the host re-creates the ARP entries.
To prevent this problem, you can enable the gateway to send gratuitous ARP packets periodically. The gratuitous ARP packets contain the gateway's primary IP address or one of its manually configured secondary IP addresses, so the receiving hosts can update ARP entries in time.
· Prevent the virtual IP address of a VRRP group from being used by a host.
The master router of a VRRP group can periodically send gratuitous ARP packets to the hosts on the local network, so that the hosts can update local ARP entries and avoid using the virtual IP address of the VRRP group.
If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router. If the virtual IP address of the VRRP group is associated with the real MAC address of an interface, the sender MAC address in the gratuitous ARP packet is the MAC address of the interface on the master router in the VRRP group.
For more information about VRRP, see High Availability Configuration Guide.
Configuration guidelines
When you configure gratuitous ARP, follow these guidelines:
· You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces.
· Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface goes up and an IP address has been assigned to the interface.
· If you change the interval for sending gratuitous ARP packets, the configuration is effective at the next sending interval.
· The frequency of sending gratuitous ARP packets might be much lower than the sending interval set by the user if this function is enabled on multiple interfaces, if each interface is configured with multiple secondary IP addresses, or if a small sending interval is configured when the previous two conditions exist.
Configuration procedure
To configure gratuitous ARP:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable learning of gratuitous ARP packets. |
gratuitous-arp-learning enable |
Optional. Enabled by default. |
|
3. Enable the device to send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet. |
gratuitous-arp-sending enable |
Optional. By default, a device does not send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet. |
|
4. Enter interface view. |
interface interface-type interface-number |
N/A |
|
5. Enable periodic sending of gratuitous ARP packets and set the sending interval. |
arp send-gratuitous-arp [ interval milliseconds ] |
Optional. By default, this feature is disabled. Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References. |
Configuring ARP snooping
Overview
ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information in ARP packets. The ARP snooping entries can be used by ARP fast-reply.
If ARP snooping is enabled, all ARP packets received by the interfaces are redirected to the CPU. The CPU uses the sender IP and MAC addresses of the ARP packets, and receiving VLAN and port to create ARP snooping entries.
The aging time and valid period of an ARP snooping entry are 25 minutes and 15 minutes, respectively. If an ARP snooping entry is not updated within 15 minutes, it becomes invalid and cannot be used. After that, if an ARP packet matching the entry is received, the entry becomes valid, and its aging timer restarts. If the aging timer of an ARP entry expires, the entry is removed.
If the ARP snooping device receives an ARP packet that has the same sender IP address as but a different sender MAC address from a valid ARP snooping entry, it considers an attack occurs. The ARP snooping entry becomes invalid and is removed after 25 minutes.
Configuration procedure
To enable ARP snooping:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable ARP snooping. |
arp-snooping enable |
Optional. Disabled by default. |
Displaying and maintaining ARP snooping
|
Task |
Command |
Remarks |
|
Display ARP snooping entries. |
display arp-snooping [ ip ip-address | vlan vlan-id ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Remove ARP snooping entries. |
reset arp-snooping [ ip ip-address | vlan vlan-id ] |
Available in user view. |
Configuring ARP fast-reply
Overview
In a wireless network, APs are connected to an AC through tunnels, so that clients can communicate with the AC through APs and can further access the gateway through the AC. If a client broadcasts an ARP request through the associated AP, the AC needs to send the ARP request to all the other APs, wasting tunnel resources and affecting forwarding performance. The ARP fast-reply mechanism can solve this problem.
With ARP fast reply enabled for a VLAN, the AC can directly answer ARP requests according to the user information in the DHCP snooping entries and ARP snooping entries. For more information about DHCP snooping, see "Configuring DHCP snooping."
Operation
If the device receives an ARP request with the target IP address being the IP address of the VLAN interface, it processes the packet as a normal ARP packet. If not, it searches the DHCP snooping table for a match:
1. If a match is found and the interface of the entry is the Ethernet interface that received the ARP request, no reply is returned. Otherwise, a reply is returned.
2. If no match is found and ARP snooping is enabled, the device searches the ARP snooping table. If a match is found and the interface of the matching entry is the Ethernet interface that received the ARP request, no reply is returned. Otherwise, a reply is returned.
3. If no match is found in both the DHCP snooping and ARP snooping tables, the ARP request is forwarded to other interfaces except the receiving interface in the VLAN or delivered to other modules.
Configuration procedure
Enabling the ARP fast-reply mechanism also enables DHCP snooping for the VLAN.
To improve the availability of ARP fast-reply, enable ARP snooping at the same time.
To configure ARP fast-reply for a VLAN:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VLAN view. |
vlan vlan-id |
N/A |
|
3. Enable the ARP fast-reply mechanism. |
arp fast-reply enable |
Disabled by default. |
ARP fast-reply configuration example
Network requirements
As shown in Figure 3, Client 1, Client 2 through Client 100, and Client 101 through Client 200 access the network through AP 1, AP 2, and AP 3, respectively. AP 1, AP 2, and AP 3 are connected to AC through the switch. APs are connected to VLAN 1.
If Client 1 wants to access Client 200, it broadcasts an ARP request and the AC sends it to AP 2 and AP 3. Because ARP broadcasts occupy tunnel resources excessively (especially when many APs exist on the network), you can enable the ARP fast-reply mechanism on AC to reduce the number of ARP broadcasts. In the following example, Client 200 has obtained an IP address through DHCP. With ARP fast-reply enabled, the AC, upon receiving an ARP request from Client 1, directly returns an ARP reply without sending the ARP request to other APs.
Configuration procedure
1. Configure basic functions on the AC (for more information, see WLAN Configuration Guide):
# Enable WLAN, which is enabled by default.
<AC> system-view
[AC] wlan enable
# Create a WLAN-ESS interface.
[AC] interface wlan-ess 1
[AC-WLAN-ESS1] quit
# Define a WLAN service template and bind the WLAN-ESS interface to this service template.
[AC] wlan service-template 1 clear
[AC-wlan-st-1] ssid abc
[AC-wlan-st-1] bind wlan-ess 1
[AC-wlan-st-1] authentication-method open-system
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
# Configure AP 1 on AC.
[AC] wlan ap ap1 model WA2100
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
# Configure the radio of AP 1.
[AC-wlan-ap-ap1] radio 1 type dot11g
[AC-wlan-ap-ap1-radio-1] service-template 1
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
# Configure AP 2 and AP 3 in the same way AP 1 is configured. (Details not shown.)
# Enable all radios.
[AC] wlan radio enable all
2. Enable ARP snooping on the AC.
[AC] arp-snooping enable
3. Enable ARP fast-reply for VLAN 1 on the AC.
[AC] vlan 1
[AC-vlan1] arp fast-reply enable
[AC-vlan1] quit
