Enabling Strict Arp Learning; Configuring Interface-Based Arp Entry Limiting - Huawei AR1200-S Configuration Manual

Huawei AR1200-S Series Enterprise Routers
Configuration Guide - Security

6.3.2 Enabling Strict ARP Learning

Strict ARP learning prevents attackers from sending packets with the bogus gateway address to
attack the AR1200-S.
Procedure
l
l
----End

6.3.3 Configuring Interface-based ARP Entry Limiting

If attackers occupy a large number of ARP entries, the AR1200-S cannot learn ARP entries of
authorized users. To prevent such attacks, set the maximum number of ARP entries that can be
dynamically learned by an interface.
Issue 02 (2012-03-30)
Configuring strict ARP learning globally
1. Run:
system-view
The system view is displayed.
2. Run:
arp learning strict
Strict ARP learning is enabled.
By default, strict ARP learning is disabled on the AR1200-S.
Configuring strict ARP learning on an interface
1. Run:
system-view
The system view is displayed.
2. Run:
interface interface-type interface-number
The interface view is displayed.
On the AR1200-S, strict ARP learning can be enabled on Layer 3 Ethernet interfaces
and its sub-interfaces, Layer 3 GE interfacesand its sub-interfaces, Layer 3 Eth-Trunk
interfaces and its sub-interfaces, and VLANIF interfaces.
3. Run:
arp learning strict { force-enable | force-disable | trust }
The strict ARP entry learning function is enabled on the interface.
– force-enable: enables strict ARP entry learning on an interface.
– force-disable: disables strict ARP entry learning on an interface.
– trust: indicates that the configuration of strict ARP entry learning on an interface
is the same as that configured globally.
By default, the configuration of strict ARP entry learning on an interface is the same
as that configured globally.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6 ARP Security Configuration
129