Whether proxy ARP on interfaces of S series switches takes effect on gratuitous ARP packets

32

On S series switches (except S1700 switches), proxy ARP on interfaces does not take effect on gratuitous ARP packets.

Other related questions:
Can proxy ARP take effect for gratuitous ARP packets after proxy ARP is enabled on an interface
Proxy ARP does not take effect for gratuitous ARP packets.

Gratuitous ARP on S series switches
An S series switch (except the S1700 switch�? sends an ARP Request packet with the destination address being its own IP address. This operation is called gratuitous ARP. Gratuitous ARP provides the following functions: 1. Checks the repetitious IP addresses. Normally, the device should not receive an ARP Reply after it sends an ARP Request with the destination address being its own IP address. If the device receives a reply, another device on the network is configured with the same IP address. 2. Declares a new MAC address. If the device has replaced its NIC and the MAC address changes, the device sends a gratuitous ARP packet to declare the change to all hosts before the aging of ARP entries.

Why proxy ARP does not take effect after the arp-proxy enable command is used on an interface
Proxy ARP is classified into routed proxy ARP, intra-VLAN proxy ARP, and inter-VLAN proxy ARP, which are configured by arp-proxy enable, arp-proxy inner-sub-vlan-proxy enable, and arp-proxy inter-sub-vlan-proxy enable. Each proxy function takes effect in corresponding scenarios. Routed proxy ARP Routed proxy ARP takes effect when the destination IP address in the received ARP request packet and the IP address of the inbound interface are in different network segments, but there is a route to the destination IP address and the outbound and inbound interfaces of the route are different. A device uses its MAC address as the source MAC address to return ARP response packets. Intra-VLAN proxy ARP Intra-VLAN proxy ARP takes effect when the destination IP address of the received ARP request packet and the IP address of the inbound interface are in the same network segment. Inter-VLAN proxy ARP Inter-VLAN proxy ARP is similar to intra-VLAN proxy ARP. Inter-VLAN proxy ARP takes effect when being applied to the super VLAN. If the destination IP address of the received ARP request packet and the IP address of the inbound interface are in the same network segment, inter-VLAN proxy ARP takes effect. If the source and destination are in the same VLAN, inter-VLAN proxy ARP is not required. Regardless of whether proxy ARP is used, the source IP address of the received ARP request packet and the IP address of the inbound interface must be in the same network segment. Intra-VLAN proxy is often used; therefore, the arp-proxy inner-sub-vlan-proxy enable command is used more often than the arp-proxy enable command.

Proxy ARP configuration on S series switch
An S series switch, except S1700, supports the following proxy ARP: routed proxy ARP, intra-VLAN proxy ARP, and inter-VLAN proxy ARP, which are configured using the arp-proxy enable, arp-proxy inner-sub-vlan-proxy enable, and arp-proxy inter-sub-vlan-proxy enable commands respectively. Routed proxy ARP (available on all models in V2R5 and later versions, but unavailable on S275x and S5700LI in the versions earlier than V2R5) The destination IP address in the received ARP request packet and the IP address of the inbound interface are in different subnets, but there is a route to the destination IP address and the outbound/inbound interfaces of the route are different. Routed proxy ARP takes effect in this situation. The switch uses its MAC address as the source MAC address to return ARP reply packets. Intra-VLAN proxy ARP (available on all models in V2R5 and later versions, but unavailable on S275x and S5700LI in the versions earlier than V2R5) If the destination IP address of the received ARP request packet and the IP address of the inbound interface are in the same subnet, intra-VLAN proxy ARP takes effect. Inter-VLAN proxy ARP (unavailable on S1720, S2720, S275x, S5700LI and E series switches) It is similar to intra-VLAN proxy ARP. Inter-VLAN proxy ARP takes effect only on super VLAN. If the destination IP address of the received ARP request packet and the IP address of the inbound interface are in the same subnet, inter-VLAN proxy ARP takes effect. If the source and destination are in the same VLAN, inter-VLAN proxy ARP is not required. Regardless of which type of proxy ARP is used, the destination IP address of the received ARP request packet and the IP address of the inbound interface must be in the same subnet.

ARP anti-spoofing configuration on S series switch
The S series switch, except S1700, provides various methods to prevent ARP spoofing attacks. Dynamic ARP inspection (DAI) This function applies to the network where DHCP snooping is configured. It is recommended to configure DAI on the access switches.DAI can prevent man-in-the-middle attacks. # Enable DAI on GE 1/0/1. [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable # Enable DAI in VLAN 100. [HUAWEI] vlan 100 [HUAWEI-vlan100] arp anti-attack check user-bind enable - Configure fixed ARP. To prevent ARP spoofing attacks, configure fixed ARP on the gateway. # Enable fixed ARP in fixed MAC mode. [HUAWEI] arp anti-attack entry-check fixed-mac enable - Configure ARP gateway anti-collision (available on only S5720SI/S5720S-SI, S5720EI, S5720HI, S6720EI, and modular switches). When user hosts are directly connected to the gateway, configure this function on the gateway. # Enable ARP gateway anti-collision. [HUAWEI] arp anti-attack gateway-duplicate enable - Configure the switch to actively discard gratuitous ARP packets (only available on modular switches). If you confirm that the gratuitous ARP packets are from attackers, enable the gateway to actively discard gratuitous ARP packets. # Enable the switch to actively discard gratuitous ARP packets globally. [HUAWEI] arp anti-attack gratuitous-arp drop

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top