Fixed ARP converts existing dynamic ARP entries (including those generated through ARP scanning)
to static ARP entries. This feature prevents ARP entries from being modified by attackers. Static
ARP entries can also be manually configured by the arp static command.
Configuration restrictions and guidelines
When you configure ARP scanning and fixed ARP, follow these restrictions and guidelines:
•
IP addresses in existing ARP entries are not scanned.
•
ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP
entries are created based on ARP replies received before the scan is terminated.
•
The arp fixup command is a one-time operation. You can use this command again to convert
the dynamic ARP entries learned later to static.
•
Due to the limit on the total number of static ARP entries, some dynamic ARP entries might fail
the conversion.
•
The undo arp fixup command converts existing static ARP entries to dynamic ARP entries.
•
To delete a static ARP entry converted from dynamic or a dynamic ARP entry converted from
static, use the undo arp ip-address [ vpn-instance-name ] command. You can also use the
reset arp all command to delete all ARP entries including the converted entries.
Configuration procedure
To configure ARP scanning and fixed ARP:
Step
1.
Enter system view.
2.
Enter Layer 3 Ethernet interface, VLAN
interface, or Layer 3 aggregate interface
view.
3.
Trigger an ARP scanning.
4.
Exit to system view.
5.
Enable fixed ARP.
Configuring ARP gateway protection
IMPORTANT:
This feature is available in Release 2137 and later versions.
Configure this feature on interfaces not connected with a gateway to prevent gateway spoofing
attacks.
When such an interface receives an ARP packet, it checks whether the sender IP address in the
packet is consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles
the packet correctly.
Configuration guidelines
When you configure ARP gateway protection, follow these guidelines:
Command
system-view
interface interface-type interface-number
arp scan [ start-ip-address to end-ip-address ]
quit
arp fixup
197