Method used to configure the authorized ARP on USG firewalls

9

After the Authorized Address Resolution Protocol (authorized ARP) is enabled, the DHCP server automatically adds an ARP entry that contains the MAC address and IP address of the client to the ARP mapping table when successfully allocating an IP address to the client. In this way, the attacks to the network by forging IP addresses or MAC addresses of other legal DHCP clients are prevented, and the network security is improved.
The authorized ARP is valid only on devices that enable the DHCP server function. The authorized ARP is only applicable to the networking on which the DHCP server and DHCP client are in the same network segment instead of the DCHP relay networking.
To enable the authorized ARP, run the dhcp arpbind enable command in the system view. By default, the authorized ARP is not enabled on the device.

Other related questions:
Method used to configure the gratuitous ARP on USG firewalls
The gratuitous ARP packet is a special ARP packet. Both the sender IP address and destination IP address carried in the gratuitous ARP packet are the local IP address. The sender MAC address is the local MAC address, and the destination MAC address is the broadcast address. The gratuitous ARP has the following functions: 1. It is used to check duplicated IP addresses. In normal situations, no ARP response is received. If an ARP response is received, a duplicated IP address exists on the existing network. 2. It is used to advertise a new MAC address. If the NIC of the sender is changed, the MAC address is changed accordingly. To advertise the new MAC address to all hosts before the ARP entry is aged, the sender can send a gratuitous ARP. By configuring the gratuitous ARP, devices can positively learn and send gratuitous ARP packets. To configure the gratuitous ARP packet learning, run the gratuitous-arp learn enable command in the interface view. By default, the gratuitous ARP packet learning is enabled for the interface. To configure the gratuitous ARP packet sending, run the gratuitous-arp send enable [ interval interval ] command in the interface view. By default, the gratuitous ARP packet sending is disabled for the interface.

Method used to configure the proxy ARP on USG firewalls
The proxy ARP is also known as the routed proxy ARP. When the default gateway address is not configured for the host (the route to the medium system of the local network is unknown), a local host can send an ARP request (requesting for the MAC address of the destination host). Upon receiving this request, a device with the proxy ARP enabled responds to the ARP request using own MAC address. In this manner, internal hosts on different physical networks but having the same network number can normally communicate with each other. You can configure the proxy ARP using the command line as follows: In the interface view, run the arp-proxy enable command. By default, the proxy ARP function is not enabled for the interface.

Method used to configure static ARP binding on USG firewalls
The command used to configure static ARP binding on the USG2000, USG5000, and USG6000 is as follows: In a static ARP entry, the IP address is 10.10.10.1/24, and the corresponding MAC address is 0025-1185-8C21. system-view [USG] arp static 10.10.10.1 0025-1185-8C21

Method used to delete the static ARP configuration on USG firewalls
The command used to delete the static ARP configuration on the USG2000, USG5000, and USG6000 is as follows: For example, to delete the static binding table with IP address 10.10.10.1 and MAC address 0025-1185-8C21, run the following command: [USG]undo arp static 10.10.10.1 0025-1185-8C21

Method used to check the total number of ARP entries on USG firewalls
Method used to check the total number of ARP entries on the USG2000, USG5000, and USG6000: The USG firewalls do not provide a special command used to view the ARP entry statistics. You can run the display arp command and view the total number of ARP entries in the last line. For example: display arp IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE ------------------------------------------------------------------------------ 2.2.2.3 00e0-fcd6-6f66 I GE0/0/0 ------------------------------------------------------------------------------ Total:1 Dynamic:0 Static:0 Interface:1 When a large number of ARP entries exist on the firewall, you can run the following command to view the total number of ARP entries: display arp | in Total Total:1 Dynamic:0 Static:0 Interface:1

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top