Login
- Table of Contents
-
- 06-Network
- 01-VRF
- 02-Interface
- 03-Interface pairs
- 04-Interface collaboration
- 05-4G
- 06-Security zones
- 07-VLAN
- 08-MAC
- 09-DNS
- 10-ARP
- 11-ND
- 12-GRE
- 13-IPsec
- 14-ADVPN
- 15-L2TP
- 16-SSL VPN
- 17-Routing table
- 18-Static routing
- 19-Policy-based routing
- 20-OSPF
- 21-BGP
- 22-RIP
- 23-IP multicast routing
- 24-PIM
- 25-IGMP
- 26-DHCP
- 27-HTTP
- 28-SSH
- 29-NTP
- 30-FTP
- 31-Telnet
- 32-MAC authentication
- 33-MAC address whitelist
- 34-MAC access silent MAC info
- 35-MAC access advanced settings
- 36-IP authentication
- 37-IPv4 whitelist
- 38-IPv6 whitelist
- 39-Wireless
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 10-ARP | 28.27 KB |
This help contains the following topics:
¡ ARP
Introduction
ARP
ARP resolves IP addresses into MAC addresses on Ethernet networks.
An ARP table stores dynamic ARP entries and static ARP entries.
Dynamic ARP entries
ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down. In addition, a dynamic ARP entry can be overwritten by a static ARP entry.
Dynamic ARP entries can be converted into static ARP entries, which cannot be converted into dynamic ARP entries again.
To prevent an interface from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the interface can learn.
Static ARP entries
A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten by any dynamic ARP entry.
Static ARP entries protect communication between devices because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry.
To communicate with a host by using a fixed IP-to-MAC mapping, configure a short static ARP entry on the device. To communicate with a host by using a fixed IP-to-MAC mapping through an interface in a VLAN, configure a long static ARP entry on the device.
IP-MAC binding entries
The device prevents user spoofing attacks by using an IP-MAC binding table to filter out illegitimate packets with forged source IP addresses or MAC addresses.
IP-MAC binding entries can be created manually or generated in bulk.
· Manual creation—You can manually create IP-MAC binding entries one by one. This method is applicable only to networks that do not contain many hosts.
· Bulk generation—You can configure the device to generate IPv4-MAC binding entries in bulk based on ARP entries on an interface. This method is applicable only to networks that contain many hosts.
Configure IP-MAC binding entries on the device to improve communication security. Upon receiving a packet, the device compares the source IP address and source MAC address in the packet with the IP-MAC binding entries.
· If the source IP address and source MAC address match the same entry, the device determines that the packet is from a legal user and permits the packet to pass through.
· In the following situations, the device determines that the packet is a forged packet and drops the packet:
¡ Only the source IP address or source MAC address matches a binding entry.
¡ The source IP address and source MAC address match two different binding entries.
· If the source IP address and the source MAC address match no binding entry, the device processes the packet based on the default action.
