Configure multi-interface ARP on S series switches

32

After multi-interface ARP is enabled on an S series switch (except the S1700 switch�?, the switch can send packets to the IP address of a network load balancing (NLB) cluster through all outbound interfaces connected to the NLB servers. By default, no MAC address entry is configured for multiple outbound interfaces.
1. You can configure multi-interface ARP for the first time in the system view. After creating an MAC address entry that corresponds to multiple outbound interfaces, you can add or delete specific interfaces in corresponding interface views.
- In the system view, run the mac-address multiport mac-address interface { interface-type interface-number1 [ to interface-type interface-number2 ] } &<1-10> vlan vlan-id command to configure a MAC address entry that corresponds to multiple outbound interfaces.
The specified interfaces must be on the same card. The value of interface-number2 must be greater than the value of interface-number1. interface-number1 and interface-number2 specify a range of interfaces.
- In an interface view, run the mac-address multiport mac-address vlan vlan-id command to configure the MAC address of the interface as the multi-interface MAC address.
2. Run the arp static ip-address mac-address command to configure a short static ARP entry. The value of mac-address must be the same as the multi-interface MAC address configured in step 1.
For example, configure a MAC address entry that corresponds to multiple outbound interfaces on Switch:
[Switch] mac-address multiport 03bf-0a80-f6fc interface gigabitethernet 1/0/1 to gigabitethernet 1/0/3 vlan 10
Configure a static ARP entry on Switch.
[Switch] arp static 10.128.246.252 03bf-0a80-f6fc
Note: Multi-interface ARP is supported in V200R003 and later versions, and is not supported by S1720, S2720, S275x, S5700LI/S5700SI/S5700EI, or S5720SI.

Other related questions:
Static ARP configuration on S series switch
On an S series switch, except S1700, run the arp static command in the system view to configure a static ARP entry. When the outbound interface is an Ethernet interface, run the arp static ip-address mac-address interface interface-type interface-number command to configure a static ARP entry. When a VPN instance needs to be specified for the ARP entry, run the arp static ip-address mac-address vpn-instance vpn-instance-name command. To configure a short ARP entry (only contains IP address and MAC address mapping, without VLAN or outbound interface), run the arp static ip-address mac-address command. To configure a static ARP entry in which the IP address is 10.1.1.1, MAC address is 0efc-0505-86e3, VLAN ID is 10, and outbound interface is GE1/0/1, run: [HUAWEI] arp static 10.1.1.1 0efc-0505-86e3 vid 10 interface gigabitethernet 1/0/1 - To configure a static ARP entry in which the IP address is 10.1.1.1, MAC address is 0efc-0505-86e3, and VPN instance is vpn1, run: [HUAWEI] ip vpn-instance vpn1 [HUAWEI-vpn-instance-vpn1] ipv4-family [HUAWEI-vpn-instance-vpn1-af-ipv4] quit [HUAWEI-vpn-instance-vpn1] quit [HUAWEI] arp static 10.1.1.1 0efc-0505-86e3 vpn-instance vpn1

Proxy ARP configuration on S series switch
An S series switch, except S1700, supports the following proxy ARP: routed proxy ARP, intra-VLAN proxy ARP, and inter-VLAN proxy ARP, which are configured using the arp-proxy enable, arp-proxy inner-sub-vlan-proxy enable, and arp-proxy inter-sub-vlan-proxy enable commands respectively. Routed proxy ARP (available on all models in V2R5 and later versions, but unavailable on S275x and S5700LI in the versions earlier than V2R5) The destination IP address in the received ARP request packet and the IP address of the inbound interface are in different subnets, but there is a route to the destination IP address and the outbound/inbound interfaces of the route are different. Routed proxy ARP takes effect in this situation. The switch uses its MAC address as the source MAC address to return ARP reply packets. Intra-VLAN proxy ARP (available on all models in V2R5 and later versions, but unavailable on S275x and S5700LI in the versions earlier than V2R5) If the destination IP address of the received ARP request packet and the IP address of the inbound interface are in the same subnet, intra-VLAN proxy ARP takes effect. Inter-VLAN proxy ARP (unavailable on S1720, S2720, S275x, S5700LI and E series switches) It is similar to intra-VLAN proxy ARP. Inter-VLAN proxy ARP takes effect only on super VLAN. If the destination IP address of the received ARP request packet and the IP address of the inbound interface are in the same subnet, inter-VLAN proxy ARP takes effect. If the source and destination are in the same VLAN, inter-VLAN proxy ARP is not required. Regardless of which type of proxy ARP is used, the destination IP address of the received ARP request packet and the IP address of the inbound interface must be in the same subnet.

Configure basic ARP functions on S series switches
On S series switches (except S1700 switches), you can run the display arp all command to display ARP entries.

ARP rate limiting on S series switch
An S series switch, except S1700, can limit the rate of ARP packets and ARP Miss messages. When the switch receives many ARP packets, configure ARP packet rate limiting to prevent CPU overloading. When the switch receives many IP packets of which the destination IP addresses cannot be resolved, the switch generates a large number of ARP Miss messages, delivers temporary ARP entries and sends may ARP request packets to the destination network. This increases CPU load and consumes bandwidth. To avoid IP packet attacks, configure ARP Miss rate limiting on the switch.

ARP anti-spoofing configuration on S series switch
The S series switch, except S1700, provides various methods to prevent ARP spoofing attacks. Dynamic ARP inspection (DAI) This function applies to the network where DHCP snooping is configured. It is recommended to configure DAI on the access switches.DAI can prevent man-in-the-middle attacks. # Enable DAI on GE 1/0/1. [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable # Enable DAI in VLAN 100. [HUAWEI] vlan 100 [HUAWEI-vlan100] arp anti-attack check user-bind enable - Configure fixed ARP. To prevent ARP spoofing attacks, configure fixed ARP on the gateway. # Enable fixed ARP in fixed MAC mode. [HUAWEI] arp anti-attack entry-check fixed-mac enable - Configure ARP gateway anti-collision (available on only S5720SI/S5720S-SI, S5720EI, S5720HI, S6720EI, and modular switches). When user hosts are directly connected to the gateway, configure this function on the gateway. # Enable ARP gateway anti-collision. [HUAWEI] arp anti-attack gateway-duplicate enable - Configure the switch to actively discard gratuitous ARP packets (only available on modular switches). If you confirm that the gratuitous ARP packets are from attackers, enable the gateway to actively discard gratuitous ARP packets. # Enable the switch to actively discard gratuitous ARP packets globally. [HUAWEI] arp anti-attack gratuitous-arp drop

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top