ARP configuration· 1

ARP overview·· 1

ARP function· 1

ARP message format 1

Operation of ARP· 2

ARP table· 3

Configuring ARP· 4

Configuring a static ARP entry· 4

Configuring the maximum number of dynamic ARP entries for an interface· 4

Setting the age timer for dynamic ARP entries 5

Enabling ARP entry check· 5

Displaying and maintaining ARP· 6

ARP configuration example· 6

Static ARP entry configuration example· 6

Gratuitous ARP configuration· 8

Introduction to gratuitous ARP· 8

Configuring gratuitous ARP· 9

 

This chapter includes these sections:

·          ARP overview

·          Configuring ARP

·          Displaying and maintaining ARP

·          ARP configuration example

 

NOTE: ·      The term "switch" or "device" in this chapter refers to the switching engine on a WX3000E wireless switch. ·      The WX3000E series comprises WX3024E and WX3010E wireless switches. ·      The port numbers in this chapter are for illustration only.

ARP overview

ARP function

The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address (Ethernet MAC address, for example).

In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding MAC address.

ARP message format

ARP messages are classified into ARP requests and ARP replies. Figure 1 shows the format of the ARP request/reply. Numbers in the figure refer to field lengths.

Figure 1 ARP message format

 

ARP message fields:

·          Hardware type: The hardware address type. The value 1 represents Ethernet.

·          Protocol type: The type of the protocol address to be mapped. The hexadecimal value 0x0800 represents IP.

·          Hardware address length and protocol address length: Length, in bytes, of a hardware address and a protocol address. For an Ethernet address, the value of the hardware address length field is 6. For an IP(v4) address, the value of the protocol address length field is 4.

·          OP: Operation code. The type of the ARP message. The value 1 represents an ARP request and 2 represents an ARP reply.

·          Sender hardware address: Hardware address of the device sending the message.

·          Sender protocol address: Protocol address of the device sending the message.

·          Target hardware address: Hardware address of the device the message is being sent to.

·          Target protocol address: Protocol address of the device the message is being sent to.

Operation of ARP

If Host A and Host B are on the same subnet and Host A sends a packet to Host B, as shown in Figure 2, the resolution process is:

1.        Host A looks in its ARP table to see whether there is an ARP entry for Host B. If yes, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.

2.        If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request using the following information:

¡  Source IP address and source MAC address: Host A’s own IP address and the MAC address

¡  Target IP address: Host B’s IP address

¡  Target MAC address: An all-zero MAC address

Because the ARP request is a broadcast, all hosts on this subnet can receive the request, but only the requested host (Host B) will process the request.

3.        Host B compares its own IP address with the target IP address in the ARP request. If they are the same, Host B:

¡  Adds the sender IP address and sender MAC address to its ARP table.

¡  Encapsulates its MAC address into an ARP reply.

¡  Unicasts the ARP reply to Host A.

4.        After receiving the ARP reply, Host A:

¡  Adds the MAC address of Host B to its ARP table.

¡  Encapsulates the MAC address into the packet and sends it to Host B.

Figure 2 ARP address resolution process

 

If Host A and Host B are not on the same subnet:

1.        Host A sends an ARP request to the gateway. The target IP address in the ARP request is the IP address of the gateway.

2.        After obtaining the MAC address of the gateway from an ARP reply, Host A sends the packet to the gateway.

3.        If the gateway maintains the ARP entry of Host B, it forwards the packet to Host B directly; if not, it broadcasts an ARP request, in which the target IP address is the IP address of Host B.

4.        After obtaining the MAC address of Host B, the gateway sends the packet to Host B.

ARP table

After obtaining a host’s MAC address, the device adds the IP-to-MAC mapping into its own ARP table. This mapping is used for forwarding packets with the same destination in future.

An ARP table contains dynamic and static ARP entries.

Dynamic ARP entry

A dynamic entry is automatically created and maintained by ARP. It can age out, be updated by a new ARP packet, or be overwritten by a static ARP entry. A dynamic ARP entry is removed when its age timer expires or the interface goes down.

Static ARP entry

A static ARP entry is manually configured and maintained. It does not age out or cannot be overwritten by any dynamic ARP entry.

Static ARP entries protect communication between devices, because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry.

Static ARP entries can be classified into long and short ARP entries.

·          A long static ARP entry can be used to forward packets directly, because it includes not only the IP address and MAC address, but also a configured VLAN and outbound interface.

·          A short static ARP entry includes only an IP address and a MAC address configured. Because the outbound interface is a Layer 2 Ethernet interface, it cannot be directly used for forwarding data. If a short static ARP entry matches an IP packet to be forwarded, the device sends an ARP request first. If the sender IP and MAC addresses in the received ARP reply are the same as those in the short static ARP entry, the device adds the interface receiving the ARP reply to the short static ARP entry. Then the entry can be used for forwarding IP packets.

 

NOTE: ·      Usually ARP dynamically generates ARP entries without manual intervention. ·      To allow communication with a host by using a fixed IP-to-MAC mapping, configure a short static ARP entry for it. To allow communication with a host through a specific interface in a specific VLAN by using a fixed IP-to-MAC mapping, configure a long static ARP entry for it.

 

Configuring ARP

Configuring a static ARP entry

A static ARP entry is effective when the device it corresponds to works normally. However, when a VLAN or VLAN interface is deleted, any static ARP entry corresponding to it will also be deleted (if it is a long static ARP entry) or will become unresolved (if it is a short and resolved static ARP entry).

Follow these steps to configure a static ARP entry:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Configure a static ARP entry	Configure a long static ARP entry	arp static ip-address mac-address vlan-id interface-type interface-number	Required Use either command. Not configured by default.
	Configure a short static ARP entry	arp static ip-address mac-address

 

CAUTION: ·      The vlan-id argument must be the ID of an existing VLAN where the ARP entry resides. The specified Ethernet interface must belong to that VLAN. The VLAN interface of the VLAN must be created. ·      The IP address of the VLAN interface of the VLAN specified by the vlan-id argument must belong to the same subnet as the IP address specified by the ip-address argument.

 

Configuring the maximum number of dynamic ARP entries for an interface

Follow these steps to set the maximum number of dynamic ARP entries that an interface can learn:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter Ethernet interface view	interface interface-type interface-number	—
Set the maximum number of dynamic ARP entries that the interface can learn	arp max-learning-num number	Optional By default, an Ethernet interface can learn up to 128 ARP entries dynamically. If the value of the number argument is set to 0, the interface is disabled from learning dynamic ARP entries.

 

Setting the age timer for dynamic ARP entries

Each dynamic ARP entry in the ARP table has a limited lifetime, called age timer. The age timer of a dynamic ARP entry is reset each time the dynamic ARP entry is used. Dynamic ARP entries that are not used before their age timers expire are deleted from the ARP table. You can adjust the age timer for dynamic ARP entries according to the actual network condition.

Follow these steps to set the age timer for dynamic ARP entries:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Set the age timer for dynamic ARP entries	arp timer aging aging-time	Optional 20 minutes by default.

 

Enabling ARP entry check

The dynamic ARP entry check function controls whether the device supports static ARP entries with multicast MAC addresses.

When ARP entry check is enabled, you cannot configure a static ARP entry with a multicast MAC address on the device; otherwise, the system displays error messages.

When ARP entry check is disabled, you can configure a static ARP entry with a multicast MAC address on the device.

Follow these steps to enable dynamic ARP entry check:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable dynamic ARP entry check	arp check enable	Optional Enabled by default.

 

Displaying and maintaining ARP

To do…	Use the command…	Remarks
Display ARP entries in the ARP table	display arp [ [ all | dynamic | static ] [ slot slot-number ] | vlan vlan-id | interface interface-type interface-number ] [ count | verbose ] [ | { begin | exclude | include } regular-expression ]	Available in any view
Display the ARP entry for a specified IP address	display arp ip-address [ slot slot-number ] [ verbose ] [ | { begin | exclude | include } regular-expression ]	Available in any view
Display the age timer for dynamic ARP entries	display arp timer aging [ | { begin | exclude | include } regular-expression ]	Available in any view
Clear ARP entries from the ARP table	reset arp { all | dynamic | static | slot slot-number | interface interface-type interface-number }	Available in user view

 

NOTE: Clearing ARP entries from the ARP table may cause communication failures.

 

ARP configuration example

Static ARP entry configuration example

Network requirements

As shown in Figure 3, hosts are connected to the switch, which is connected to the router through interface Ethernet 1/1 in VLAN 10. The IP and MAC addresses of the router are 192.168.1.1/24 and 00e0-fc01-0000 respectively.

To prevent malicious users from attacking the switch and enhance security for communications between the router and switch, configure a static ARP entry for the router on the switch.

Figure 3 Network diagram for configuring static ARP entries

 

Configuration procedure

Configure the switch

# Create VLAN 10.

<Switch> system-view

[Switch] vlan 10

[Switch-vlan10] quit

# Add interface GigabitEthernet 1/0/1 to VLAN 10.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 10

[Switch-GigabitEthernet1/0/1] quit

# Create interface VLAN-interface 10 and configure its IP address.

[Switch] interface vlan-interface 10

[Switch-vlan-interface10] ip address 192.168.1.2 8

[Switch-vlan-interface10] quit

# Configure a static ARP entry that has IP address 192.168.1.1, MAC address 00e0-fc01-0000, and output interface GigabitEthernet 1/0/1 in VLAN 10.

[Switch] arp static 192.168.1.1 00e0-fc01-0000 10 gigabitethernet 1/0/1

# View information about static ARP entries.

[Switch] display arp static

                Type: S-Static    D-Dynamic    A-Authorized

IP Address       MAC Address     VLAN ID  Interface              Aging Type

192.168.1.1      00e0-fc01-0000  10       GE1/0/1                N/A   S 

 

This chapter includes these sections:

·          Introduction to gratuitous ARP

·          Configuring gratuitous ARP

 

NOTE: The term "switch" or "device" in this chapter refers to the switching engine on a WX3000E wireless switch.

Introduction to gratuitous ARP

In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device, the sender MAC address is the MAC address of the sending device, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff.

A device sends a gratuitous ARP packet for either of the following purposes:

·          Determine whether its IP address is already used by another device. If the IP address is already used, the device will be informed of the conflict by an ARP reply;

·          Inform other devices of the change of its MAC address.

Enabling learning of gratuitous ARP packets

With this feature enabled, a device, upon receiving a gratuitous ARP packet, adds an ARP entry that contains the sender IP and MAC addresses in the packet to its ARP table. If the corresponding ARP entry exists, the device updates the ARP entry.

With this feature disabled, the device uses the received gratuitous ARP packets to update existing ARP entries, but not to create new ARP entries.

Configuring periodic sending of gratuitous ARP packets

Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their corresponding ARP entries or MAC entries in time. This feature can be used to prevent gateway spoofing, prevent ARP entries from aging out, and prevent the virtual IP address of a VRRP group from being used by a host.

·          Prevent gateway spoofing

When an attacker sends forged gratuitous ARP packets to the hosts on a network, the traffic destined for the gateway from the hosts is sent to the attacker instead. As a result, the hosts cannot access the external network.

To prevent such gateway spoofing attacks, enable the gateway to send gratuitous ARP packets containing its primary IP address and manually configured secondary IP addresses at a specific interval. In this way, each host can learn correct gateway address information.

·          Prevent ARP entries from aging out

If network traffic is heavy or a host’s CPU usage is high on a host, received ARP packets may be discarded or not be processed in time. Eventually, the dynamic ARP entries on the receiving host will age out, and the traffic between the host and the corresponding devices will be interrupted until the host re-creates the ARP entries.

To prevent this problem, enable the gateway to send gratuitous ARP packets periodically. The gratuitous ARP packets contain the gateway's primary IP address or one of its manually configured secondary IP addresses. In this way, the receiving host can update ARP entries in time and thus ensure traffic continuity.

Configuring gratuitous ARP

Follow these steps to configure gratuitous ARP:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable learning of gratuitous ARP packets	gratuitous-arp-learning enable	Optional Enabled by default.
Enable the device to send gratuitous ARP packets upon receiving ARP requests from another subnet	gratuitous-arp-sending enable	Required By default, a device does not send gratuitous ARP packets upon receiving ARP requests from another subnet.
Enter interface view	interface interface-type interface-number	—
Enable periodic sending of gratuitous ARP packets and set the sending interval	arp send-gratuitous-arp [ interval milliseconds ]	Required Disabled by default.

 

NOTE: ·      You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces. ·      Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface goes up and an IP address has been assigned to the interface. ·      If you change the interval for sending gratuitous ARP packets, the configuration is effective at the next sending interval. ·      The frequency of sending gratuitous ARP packets may be much lower than is expected if this function is enabled on multiple interfaces, if each interface is configured with multiple secondary IP addresses, or if a small sending interval is configured in such cases.