Configure egress ARP inspection (EAI) on S series switches

2

After EAI is enabled on an S series switch (except the S1700 switch�?, the switch restricts the scope of ARP packet forwarding. This function prevents broadcast of ARP packets in a VLAN and reduces the traffic volume in the VLAN.
1. In the VLAN view, run the dhcp snooping arp security enable command to enable EAI.
By default, EAI is disabled.
2. (Optional) Run the dhcp snooping arp security isolate-forwarding-trust command to forward ARP packets to trusted interfaces when port isolation is enabled on both inbound and outbound interfaces. If port isolation is enabled on the interface connected to the user side, perform this configuration on the switch enabled with EAI and configure intra-VLAN proxy ARP on the uplink devices.
By default, the function of forwarding ARP packets to trusted interfaces when port isolation is enabled on both inbound and outbound interfaces is disabled.

Other related questions:
ARP anti-spoofing configuration on S series switch
The S series switch, except S1700, provides various methods to prevent ARP spoofing attacks. Dynamic ARP inspection (DAI) This function applies to the network where DHCP snooping is configured. It is recommended to configure DAI on the access switches.DAI can prevent man-in-the-middle attacks. # Enable DAI on GE 1/0/1. [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable # Enable DAI in VLAN 100. [HUAWEI] vlan 100 [HUAWEI-vlan100] arp anti-attack check user-bind enable - Configure fixed ARP. To prevent ARP spoofing attacks, configure fixed ARP on the gateway. # Enable fixed ARP in fixed MAC mode. [HUAWEI] arp anti-attack entry-check fixed-mac enable - Configure ARP gateway anti-collision (available on only S5720SI/S5720S-SI, S5720EI, S5720HI, S6720EI, and modular switches). When user hosts are directly connected to the gateway, configure this function on the gateway. # Enable ARP gateway anti-collision. [HUAWEI] arp anti-attack gateway-duplicate enable - Configure the switch to actively discard gratuitous ARP packets (only available on modular switches). If you confirm that the gratuitous ARP packets are from attackers, enable the gateway to actively discard gratuitous ARP packets. # Enable the switch to actively discard gratuitous ARP packets globally. [HUAWEI] arp anti-attack gratuitous-arp drop

How to configure dynamic ARP inspection (DAI) on S series switches
For S series switches (except S1700 switches): DAI prevents Man in The Middle (MITM) attacks on authorized user information. When a device receives an ARP packet, it compares the source IP address, source MAC address, port number, and VLAN ID of the ARP packet with those in a binding table. If the ARP packet matches a binding entry, the device considers that the ARP packet is sent by an authorized user and allows the packet to pass through. If the ARP packet does not match any binding entry, the device considers the ARP packet as an attack packet and discards it. You can enable DAI in the interface view or the VLAN view. When DAI is enabled in the interface view, the device checks all ARP packets received on the interface against the binding entries. When DAI is enabled in the VLAN view, the device checks ARP packets received on interfaces that belong to the VLAN against the binding entries. This function is available only for DHCP snooping scenarios. # Configure DHCP snooping on the device and enable DAI on a user-side interface. [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable ipv4 [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable //Enable DHCP snooping on the user-side interface. [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] interface gigabitethernet 1/0/2 [HUAWEI-GigabitEthernet1/0/2] dhcp snooping trusted //Configure the network-side interface connected to the DHCP server as a trusted interface. If DHCP snooping is configured on a DHCP relay device, configuring a trusted interface is optional. [HUAWEI-GigabitEthernet1/0/2] quit [HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure a static binding entry for a user with a static IP address. [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable //Enable DAI on the user-side interface. [HUAWEI-GigabitEthernet1/0/1] quit # Configure DHCP snooping on the device and enable DAI in the VLAN to which users belong. [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable ipv4 [HUAWEI] vlan 100 [HUAWEI-vlan100] dhcp snooping enable //Enable DHCP snooping in the VLAN to which users belong. [HUAWEI-vlan100] quit [HUAWEI] vlan 200 [HUAWEI-vlan200] dhcp snooping enable [HUAWEI-vlan200] dhcp snooping trusted interface gigabitethernet 1/0/2 //Configure the network-side interface connected to the DHCP server as a trusted interface. If DHCP snooping is configured on a DHCP relay device, configuring a trusted interface is optional. [HUAWEI-vlan200] quit [HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure a static binding entry for a user with a static IP address. [HUAWEI] vlan 100 [HUAWEI-vlan100] arp anti-attack check user-bind enable //Enable DAI in the VLAN to which users belong. [HUAWEI-vlan100] quit

Static ARP configuration on S series switch
On an S series switch, except S1700, run the arp static command in the system view to configure a static ARP entry. When the outbound interface is an Ethernet interface, run the arp static ip-address mac-address interface interface-type interface-number command to configure a static ARP entry. When a VPN instance needs to be specified for the ARP entry, run the arp static ip-address mac-address vpn-instance vpn-instance-name command. To configure a short ARP entry (only contains IP address and MAC address mapping, without VLAN or outbound interface), run the arp static ip-address mac-address command. To configure a static ARP entry in which the IP address is 10.1.1.1, MAC address is 0efc-0505-86e3, VLAN ID is 10, and outbound interface is GE1/0/1, run: [HUAWEI] arp static 10.1.1.1 0efc-0505-86e3 vid 10 interface gigabitethernet 1/0/1 - To configure a static ARP entry in which the IP address is 10.1.1.1, MAC address is 0efc-0505-86e3, and VPN instance is vpn1, run: [HUAWEI] ip vpn-instance vpn1 [HUAWEI-vpn-instance-vpn1] ipv4-family [HUAWEI-vpn-instance-vpn1-af-ipv4] quit [HUAWEI-vpn-instance-vpn1] quit [HUAWEI] arp static 10.1.1.1 0efc-0505-86e3 vpn-instance vpn1

Proxy ARP configuration on S series switch
An S series switch, except S1700, supports the following proxy ARP: routed proxy ARP, intra-VLAN proxy ARP, and inter-VLAN proxy ARP, which are configured using the arp-proxy enable, arp-proxy inner-sub-vlan-proxy enable, and arp-proxy inter-sub-vlan-proxy enable commands respectively. Routed proxy ARP (available on all models in V2R5 and later versions, but unavailable on S275x and S5700LI in the versions earlier than V2R5) The destination IP address in the received ARP request packet and the IP address of the inbound interface are in different subnets, but there is a route to the destination IP address and the outbound/inbound interfaces of the route are different. Routed proxy ARP takes effect in this situation. The switch uses its MAC address as the source MAC address to return ARP reply packets. Intra-VLAN proxy ARP (available on all models in V2R5 and later versions, but unavailable on S275x and S5700LI in the versions earlier than V2R5) If the destination IP address of the received ARP request packet and the IP address of the inbound interface are in the same subnet, intra-VLAN proxy ARP takes effect. Inter-VLAN proxy ARP (unavailable on S1720, S2720, S275x, S5700LI and E series switches) It is similar to intra-VLAN proxy ARP. Inter-VLAN proxy ARP takes effect only on super VLAN. If the destination IP address of the received ARP request packet and the IP address of the inbound interface are in the same subnet, inter-VLAN proxy ARP takes effect. If the source and destination are in the same VLAN, inter-VLAN proxy ARP is not required. Regardless of which type of proxy ARP is used, the destination IP address of the received ARP request packet and the IP address of the inbound interface must be in the same subnet.

Configure basic ARP functions on S series switches
On S series switches (except S1700 switches), you can run the display arp all command to display ARP entries.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top