How to configure ARP entry restriction on S and E series switches

14

For S and E series switches (except S1700 switches):
To prevent ARP entries from being exhausted by ARP attacks from a host connecting to an interface on the device, set the maximum number of ARP entries that the interface can dynamically learn. When the number of the ARP entries learned by a specified interface reaches the maximum number, no dynamic ARP entry can be added.

# Configure that VLANIF 10 can dynamically learn a maximum of 20 ARP entries.
[HUAWEI] vlan batch 10
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp-limit maximum 20

# Configure that Layer 2 interface GE0/0/1 can dynamically learn a maximum of 20 ARP entries from VLAN 10.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-limit vlan 10 maximum 20

# Configure that Layer 3 interface GE0/0/1 can dynamically learn a maximum of 20 ARP entries.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-limit maximum 20

The interfaces on some switch models cannot switch between Layer 2 and Layer 3 modes through the undo portswitch command.

Other related questions:
How to configure strict ARP entry learning on S series switches
For S series switches (except S1700 switches), enabling strict ARP entry learning allows the switch to learn only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. Enabling strict ARP entry learning on the switch device affects only the ARP entry learning on the switch, not on the hosts. # Enable strict ARP entry learning on VLANIF 100. [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] arp learning strict force-enable # Enable strict ARP entry learning globally on the switch and enable this function on GE1/0/1. [HUAWEI] arp learning strict [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] arp learning strict force-disable The physical interfaces on some switch models cannot switch between Layer 2 and Layer 3 modes through the undo portswitch command.

View ARP entries on S series switches
If an S series switch (except the S1700 switch�? works at Layer 2, you can only view the MAC addresses of devices connected to an interface, not the IP addresses. You can run the display mac-address command. The command output is as follows: MAC address table of slot 0: MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel 5489-980d-4ef6 1 - - GE0/0/1 dynamic 0/- 5489-98c2-19e3 20 - - GE0/0/2 dynamic 0/- Total matching items on slot 0 displayed = 2 ——————————————————————————————————————�?If an S series switch (except the S1700 switch�? works at Layer 3, you can run the display arp [ all ] command to view ARP entries including mappings between IP addresses and MAC addresses. In addition, you can find the outbound interfaces toward the devices based on the mappings. The command output is as follows: IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN 10.137.217.202 00e0-0987-7890 I - Eth0/0/0 10.137.216.1 0000-5e00-0149 20 D-0 Eth0/0/0 Total:2 Dynamic:1 Static:0 Interface:1 ———————————————————————————————————————�?With known MAC addresses or IP addresses, you can obtain outbound interfaces and mappings between IP addresses and MAC addresses of specific devices based on the MAC table or ARP table on the switch. In the preceding output, if the MAC ADDRESS field is Incomplete, the ARP entry is temporary. When an IP packet triggers an ARP Miss message, the switch generates a temporary ARP entry and sends ARP Request packets to the destination network segment. The following situations may occur before the temporary ARP entry ages: Before receiving an ARP Reply packet, the switch discards IP packets matching the temporary ARP. No ARP Miss message will be triggered. After receiving the ARP Reply packet, the switch generates a correct ARP entry to replace the temporary ARP entry. When the temporary ARP entry expires, the switch deletes it.

Configurations that affect ARP entry updating on S series switches
S series switches (except S1700 switches) use ARP messages to dynamically learn and update dynamic ARP entries, which can be overwritten by static ARP entries. Dynamic ARP entries have an aging mechanism. When a dynamic ARP entry expires, the device sends aging detection packets to the corresponding host. If the device receives a response from the host within the specified number of detection times, the ARP entry is updated. If not, the ARP entry is deleted. In addition to aging parameters of dynamic ARP entries, some configurations on the device may affect the aging and updating of dynamic ARP entries. The following lists some common factors. MAC address-triggered ARP update (not supported by S1720, S2720, S275x, or S5700LI fixed switches) By default, the aging time of MAC address entries is 5 minutes, and the aging time of ARP entries is 20 minutes. In certain scenarios, MAC entries are updated, but the ARP entries are not updated accordingly, affecting user services. If this occurs, run the mac-address update arp command to enable the MAC address-triggered ARP update function. After the configuration, when the outbound interfaces in MAC address entries change, the outbound interfaces in ARP entries are updated, so that user services will not be interrupted. Spanning Tree Protocol (STP) By default, when the device receives a Topology Checksum (TC) packet of STP, it ages or deletes the corresponding ARP entry. If the STP convergence mode is fast, the device deletes the corresponding ARP entry when receiving a TC packet. If the STP convergence mode is normal, the device rapidly ages the corresponding ARP entry when receiving a TC packet, that is, the device sets the remaining lifetime of the ARP entry to 0. If the number of detection times for aging out the ARP entry is greater than 0, the device carries out aging detection of the ARP entry. If STP is deployed for a network, you are advised to configure the device interface directly connected to user terminals (such as hosts) as an edge port and enable the Bridge Protocol Data Unit (BPDU) protection function. If not, when a large number of TC packets are generated, the convergence speed of the STP network topology will be reduced, and the updating and maintenance of ARP entries will be affected, which will have an impact on user services. To prevent the device from aging or deleting ARP entries when receiving TC packets, run the arp topology-change disable command to disable the TC packet response function. You are advised to enable the MAC address-triggered ARP update function at the same time. Strict ARP learning After strict ARP learning is enabled, the device learns only the ARP Reply packets in response to the ARP Request packets sent by itself. ARP-CPCAR By default, each type of protocol packets has a default CPCAR value. The CPCAR values of some types of protocol packets need to be adjusted based on service specifications and users' network environments. When a lot of users connect to the device but the CPCAR values of the ARP Request packets and ARP Reply packets are small, ARP packets can be lost. (To check whether ARP packets are lost, run the display cpu-defend statistics all command.) This will affect ARP entry learning and updating. In this case, you can adjust the CPCAR values of ARP packets to proper values. Improper CPCAR settings will affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings. When ARP attacks occur, the learning and updating of dynamic ARP entries will also be affected. In this case, you are advised to find out the attack source and configure appropriate attack defense functions.

Aged ARP entry display on S series switches
On S series switches (except S1700 switches), aged ARP entries cannot be displayed. You can only view the current ARP table.

Aging time of ARP entries on S series switches
For S series switches (except S1700 switches),
the default aging time of dynamic ARP entries is 1200s (20 minutes). You can run the arp expire-time  expire-time command in the system view or an interface view to configure the aging time of dynamic ARP entries. Configure the second expire-time variable as the target aging time of dynamic ARP entries.
Static ARP entries do not age.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top