How to configure ARP entry restriction on S and E series switches

For S and E series switches (except S1700 switches):
To prevent ARP entries from being exhausted by ARP attacks from a host connecting to an interface on the device, set the maximum number of ARP entries that the interface can dynamically learn. When the number of the ARP entries learned by a specified interface reaches the maximum number, no dynamic ARP entry can be added.

# Configure that VLANIF 10 can dynamically learn a maximum of 20 ARP entries.
[HUAWEI] vlan batch 10
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp-limit maximum 20

# Configure that Layer 2 interface GE0/0/1 can dynamically learn a maximum of 20 ARP entries from VLAN 10.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-limit vlan 10 maximum 20

# Configure that Layer 3 interface GE0/0/1 can dynamically learn a maximum of 20 ARP entries.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-limit maximum 20

The interfaces on some switch models cannot switch between Layer 2 and Layer 3 modes through the undo portswitch command.

Scroll to top