Login
- Table of Contents
-
- 04-Layer 3 Configuration Guide
- 00-Preface
- 01-Basic IP Routing Configuration
- 02-Static Routing Configuration
- 03-IPv6 Static Routing Configuration
- 04-IP Addressing Configuration
- 05-IPv6 Basics Configuration
- 06-DHCP Configuration
- 07-DHCPv6 Configuration
- 08-DNS Configuration
- 09-IPv6 DNS Configuration
- 10-IP Performance Optimization Configuration
- 11-ARP Configuration
- 12-IP Forwarding Basics Configuration
- 13-NAT Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 11-ARP Configuration | 159.92 KB |
Configuring a static ARP entry
Configuring the maximum number of dynamic ARP entries for an interface
Setting the aging timer for dynamic ARP entries
Enabling dynamic ARP entry check
Enabling natural mask support for ARP requests
Displaying and maintaining ARP
Static ARP entry configuration example
Enabling learning of gratuitous ARP packets
Displaying and maintaining ARP snooping
This chapter describes how to configure the Address Resolution Protocol (ARP).
Overview
ARP resolves IP addresses into physical addresses such as MAC addresses. On an Ethernet LAN, a device uses ARP to get the MAC address of the target device for a packet.
ARP message format
ARP uses two types of messages, ARP request and ARP reply. Figure 1 shows the format of the ARP request/reply. Numbers in the figure refer to field lengths.
· Hardware type—Hardware address type. The value 1 represents Ethernet.
· Protocol type—Type of the protocol address to be mapped. The hexadecimal value 0x0800 represents IP.
· Hardware address length and protocol address length—Length, in bytes, of a hardware address and a protocol address. For an Ethernet address, the value of the hardware address length field is 6. For an IPv4 address, the value of the protocol address length field is 4.
· OP—Operation code, which describes type of the ARP message. Value 1 represents an ARP request, and value 2 represents an ARP reply.
· Sender hardware address—Hardware address of the device sending the message.
· Sender protocol address—Protocol address of the device sending the message.
· Target hardware address—Hardware address of the device to which the message is being sent.
· Target protocol address—Protocol address of the device to which the message is being sent.
ARP operation
As shown in Figure 2, Host A and Host B are on the same subnet. Host A sends a packet to Host B as follows:
1. Host A looks through its ARP table for an ARP entry for Host B. If one entry is found, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.
2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request comprises the following information:
¡ Sender IP address and sender MAC address—Host A's IP address and MAC address
¡ Target IP address—Host B's IP address
¡ Target MAC address—An all-zero MAC address
All hosts on this subnet can receive the broadcast request, but only the requested host (Host B) processes the request.
3. Host B compares its own IP address with the target IP address in the ARP request. If they are the same, Host B:
a. Adds the sender IP address and sender MAC address into its ARP table.
b. Encapsulates its MAC address into an ARP reply.
c. Unicasts the ARP reply to Host A.
4. After receiving the ARP reply, Host A:
a. Adds the MAC address of Host B into its ARP table.
b. Encapsulates the MAC address into the packet and sends the packet to Host B.
Figure 2 ARP address resolution process
If Host A and Host B are on different subnets, Host A sends a packet to Host B, as follows:
1. Host A sends an ARP request to the gateway. The target IP address in the ARP request is the IP address of the gateway.
2. The gateway responds with its MAC address in an ARP reply to Host A.
3. Host A uses the gateway MAC address to encapsulate the packet and sends the packet to the gateway.
4. If the gateway has the ARP entry for Host B, it forwards the packet to Host B directly. If not, it broadcasts an ARP request, in which the target IP address is the IP address of Host B.
5. After obtaining the MAC address of Host B, the gateway sends the packet to Host B.
ARP table
An ARP table stores dynamic and static ARP entries.
Dynamic ARP entry
ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down, and it can be overwritten by a static ARP entry.
Static ARP entry
A static ARP entry is manually configured and maintained. It does not age out, and cannot be overwritten by a dynamic ARP entry.
Static ARP entries protect communication between devices, because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry.
Static ARP entries can be classified into long and short ARP entries.
· To configure a long static ARP entry, specify the IP address, MAC address, VLAN, and output interface. A long static ARP entry is directly used for forwarding matching packets. To communicate with a host by using a fixed IP-to-MAC mapping through a specific interface in a specific VLAN, configure a long static ARP entry on the device.
· To configure a short static ARP entry, you only need to specify the IP address and MAC address.
¡ If the output interface is a Layer 3 Ethernet interface, the short ARP entry can be directly used to forward matching packets.
¡ If the output interface is a VLAN interface, the device first sends an ARP request whose target IP address is the IP address of the short entry. If the sender IP and MAC addresses in the received ARP reply match the IP and MAC addresses of the short static ARP entry, the device adds the interface receiving the ARP reply to the short static ARP entry, and then uses the resolved entry to forward the matching IP packets.
To communicate with a host by using a fixed IP-to-MAC mapping, configure a short static ARP entry on the device.
Configuring a static ARP entry
A static ARP entry is effective when the device works normally. If a VLAN or VLAN interface is deleted, all long static ARP entries in the VLAN are deleted, and all resolved short static ARP entries in the VLAN becomes unresolved.
Follow these guidelines when you configure a long static ARP entry:
· The vlan-id argument must be the ID of an existing VLAN where the ARP entry resides. The specified Ethernet interface must belong to that VLAN. The VLAN interface of the VLAN must be created.
· The IP address of the VLAN interface of the VLAN specified by the vlan-id argument must belong to the same subnet as the IP address specified by the ip-address argument.
To configure a static ARP entry:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure a static ARP entry. |
·
Configure a long static ARP entry: ·
Configure a short static ARP entry: |
Use either command. |
Configuring the maximum number of dynamic ARP entries for an interface
An interface can dynamically learn ARP entries, so it may hold too many ARP entries. To solve this problem, you can set the maximum number of dynamic ARP entries that an interface can learn. When the maximum number is reached, the interface stops learning ARP entries.
A Layer 2 interface can learn an ARP entry only when both its maximum number and the VLAN interface's maximum number are not reached.
To set the maximum number of dynamic ARP entries that an interface can learn:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Set the maximum number of dynamic ARP entries that the interface can learn. |
arp max-learning-num number |
Optional. By default, an interface can learn a maximum of 256 dynamic ARP entries. If the value of the number argument is set to 0, the interface is disabled from learning dynamic ARP entries. |
Setting the aging timer for dynamic ARP entries
Each dynamic ARP entry in the ARP table has a limited lifetime, called an aging timer. The aging timer of a dynamic ARP entry is reset each time the dynamic ARP entry is updated. Dynamic ARP entries that are not updated before their aging timers expire are deleted from the ARP table.
To set the aging timer for dynamic ARP entries:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the aging timer for dynamic ARP entries. |
arp timer aging aging-time |
Optional. 20 minutes by default. |
Enabling dynamic ARP entry check
The dynamic ARP entry check function controls whether the device supports dynamic ARP entries with multicast MAC addresses.
When dynamic ARP entry check is enabled, the device cannot learn dynamic ARP entries containing multicast MAC addresses.
When dynamic ARP entry check is disabled, the device can learn dynamic ARP entries containing multicast MAC addresses.
To enable dynamic ARP entry check:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable dynamic ARP entry check. |
arp check enable |
Optional. Enabled by default. |
Enabling natural mask support for ARP requests
This feature enables the device to learn the sender IP and MAC addresses in a received ARP request whose sender IP address is on the same classful network as but a different subnet from the IP address of the receiving interface. A classful network refers to a class A, B, or C network.
For example, VLAN-interface 10 with IP address 10.10.10.5/24 receives an ARP request from 10.11.11.1/8. Because the subnet address calculated by the AND operation of 10.11.11.1 and the 24-bit subnet mask of the receiving interface is not in the subnet 10.10.10.5/24, VLAN-interface 10 cannot process the ARP packet.
With this feature enabled, the device calculates the subnet address by using the default mask of the class A network where 10.10.10.5/24 resides. Because 10.10.10.5/24 is on the same class A network as 10.11.11.1/8, VLAN-interface 10 can learn the sender IP and MAC addresses in the request.
To enable natural mask support for ARP requests:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable natural mask support for ARP requests. |
naturemask-arp enable |
Disabled by default. |
Displaying and maintaining ARP
|
|
CAUTION: Clearing ARP entries from the ARP table might cause communication failures. |
|
Task |
Command |
Remarks |
|
Display ARP entries in the ARP table. |
display arp [ [ all | dynamic | static ] | vlan vlan-id | interface interface-type interface-number ] [ count ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the ARP entry for a specified IP address. |
display arp ip-address [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the aging timer of dynamic ARP entries. |
display arp timer aging [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Clear ARP entries from the ARP table. |
reset arp { all | dynamic | static | interface interface-type interface-number } |
Available in user view. |
Static ARP entry configuration example
Network requirements
As shown in Figure 3, hosts are connected to the AP, which is connected to the router through interface GigabitEthernet 1/0/1 in VLAN 10. The IP and MAC addresses of the router are 192.168.1.1/24 and 00e0-fc01-0000 respectively.
To prevent malicious users from attacking the AP and enhance security for communications between the router and the AP, configure a static ARP entry for the router on the AP.
Configuration procedure
# Create VLAN 10.
<AP> system-view
[AP] vlan 10
[AP-vlan10] quit
# Add interface GigabitEthernet 1/0/1 to VLAN 10.
[AP] interface gigabitethernet 1/0/1
[AP-GigabitEthernet1/0/1] port link-type trunk
[AP-GigabitEthernet1/0/1] port trunk permit vlan 10
[AP-GigabitEthernet1/0/1] quit
# Create interface VLAN-interface 10, and assign an IP address to the VLAN interface.
[AP] interface vlan-interface 10
[AP-vlan-interface10] ip address 192.168.1.2 24
[AP-vlan-interface10] quit
# Configure a static ARP entry that has IP address 192.168.1.1, MAC address 00e0-fc01-0000, and output interface GigabitEthernet 1/0/1 in VLAN 10.
[AP] arp static 192.168.1.1 00e0-fc01-0000 10 gigabitethernet 1/0/1
# Display information about static ARP entries.
[AP] display arp static
Type: S-Static D-Dynamic A-Authorized
IP Address MAC Address VLAN ID Interface Aging Type
192.168.1.1 00e0-fc01-0000 10 GE1/0/1 N/A S
Overview
In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device.
A device sends a gratuitous ARP packet for either of the following purposes:
· Determine whether its IP address is already used by another device. If the IP address is already used, the device is informed of the conflict by an ARP reply.
· Inform other devices of a change of its MAC address.
Enabling learning of gratuitous ARP packets
This feature enables a device to create or update ARP entries by using the sender IP and MAC addresses in received gratuitous ARP packets.
With this feature disabled, the device uses the received gratuitous ARP packets to update only existing ARP entries.
Configuration guidelines
Follow these guidelines when you configure gratuitous ARP:
· You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces.
· Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface goes up and an IP address has been assigned to the interface.
· If you change the interval for sending gratuitous ARP packets, the configuration is effective at the next sending interval.
· The frequency of sending gratuitous ARP packets may be much lower than the sending interval set by the user if this function is enabled on multiple interfaces, if each interface is configured with multiple secondary IP addresses, or if a small sending interval is configured when the previous two conditions exist.
Configuration procedure
To configure gratuitous ARP:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable learning of gratuitous ARP packets. |
gratuitous-arp-learning enable |
Optional. Enabled by default. |
|
3. Enable the device to send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet. |
gratuitous-arp-sending enable |
By default, a device does not send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet. |
Overview
ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information in ARP packets.
If ARP snooping is enabled on a device, ARP packets received by all interfaces are redirected to the CPU. The CPU uses the sender IP and MAC addresses of the ARP packets, and receiving VLAN and port to create ARP snooping entries.
The aging time and valid period of an ARP snooping entry are 25 minutes and 15 minutes, respectively. If an ARP snooping entry is not updated within 15 minutes, it becomes invalid and cannot be used. After that, if an ARP packet matching the entry is received, the entry becomes valid, and its aging timer restarts. If the aging timer of an ARP entry expires, the entry is removed.
If the ARP snooping device receives an ARP packet that has the same sender IP address as but a different sender MAC address from a valid ARP snooping entry, it considers an attack occurs. The ARP snooping entry becomes invalid and is removed after 25 minutes.
Configuration procedure
To enable ARP snooping:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable ARP snooping. |
arp-snooping enable |
Optional. Disabled by default. |
Displaying and maintaining ARP snooping
|
Task |
Command |
Remarks |
|
Display ARP snooping entries. |
display arp-snooping [ ip ip-address | vlan vlan-id ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Remove ARP snooping entries. |
reset arp-snooping [ ip ip-address | vlan vlan-id ] |
Available in user view. |
