To do...
Enable ARP automatic
scanning
Return to system view
Enable fixed ARP
NOTE:
IP addresses already existing in ARP entries are not scanned.
ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are
created based on ARP replies received before the scan is terminated.
The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured
static ARP entries.
Use the arp fixup command to change the existing dynamic ARP entries into static ARP entries. You can use this
command again to change the dynamic ARP entries learned later into static ARP entries.
The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP
entries that the switch supports. As a result, the switch may fail to change all dynamic ARP entries into static ARP
entries.
To delete a specific static ARP entry changed from a dynamic one, use the undo arp
delete all such static ARP entries, use the reset arp all or reset arp static command.
Configuring ARP gateway protection
Introduction
The ARP gateway protection feature, if configured on ports not connected with the gateway, can block
gateway spoofing attacks.
When such a port receives an ARP packet, it checks whether the sender IP address in the packet is
consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles the packet
normally.
Configuration procedure
Follow these steps to configure ARP gateway protection:
To do...
Enter system view
Enter Layer 2 Ethernet port
view/Layer 2 aggregate interface
view
Enable ARP gateway protection for a
specified gateway
Use the command...
arp scan [ start-ip-address to end-ip-address ]
quit
arp fixup
Use the command...
system-view
interface interface-type interface-
number
arp filter source ip-address
279
Remarks
Required
—
Required
ip-address
command. To
Remarks
—
—
Required
Disabled by default.