This paper mainly introduces the ARP security in the Huawei S2750&S5700&S6700 series switches to prevent equipment performance and business impact due to improper ARP settings.
arp-limit
Function
The arp-limit command sets the maximum number of ARP entries that an interface can dynamically learn.
The undo arp-limit command deletes the maximum number of ARP entries that an interface can dynamically learn.
By default, the maximum number of ARP entries that an interface can dynamically learn is the same as the number of ARP entries supported by the device.
Format
Ethernet interface view, 40GE interface view, GE interface view, GE sub-interface view, XGE interface view, XGE sub-interface view, Eth-Trunk interface view, Eth-Trunk sub-interface view, port group view.
arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum maximum
undo arp-limit vlan vlan-id1 [ to vlan-id2 ]
VLANIF interface view
arp-limit maximum maximum
undo arp-limit
Parameters
Parameter | Description | Value |
vlan vlan-id1 [ to vlan-id2 ] | Specifies the ID of a VLAN from which the maximum number of ARP entries an interface can dynamically learn is limited. This parameter is available only for Layer 2 interfaces. Where, ? vlan-id1 specifies the first VLAN ID. ? to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1. vlan-id1 and vlan-id2 specify a range of VLANs. If to vlan-id2 is not specified, the device limits the maximum number of ARP entries an interface dynamically learns from the VLAN vlan-id1. If to vlan-id2 is specified, the device limits the maximum number of ARP entries an interface dynamically learns from each VLAN from vlan-id1 to vlan-id2. |
The values of vlan-id1 and vlan-id2 are integers that range from 1 to 4094. |
maximum maximum | Specifies the maximum number of ARP entries that an interface can dynamically learn. | The value is an integer that ranges The value ranges from 1 to 2048 for the S5700SI, from 1 to 8192 for the S5700EI, from 1 to 16384 for the S5700HI and S5710HI, from 1 to 16384 for the S5710EI, from 1 to 256 for the S2750, S5700LI, and S5700S-LI, and from 1 to 8192 for the S6700. |
Views
Ethernet interface view, 40GE interface view, GE interface view, GE sub-interface view, XGE interface view, XGE sub-interface view, Eth-Trunk interface view, Eth-Trunk sub-interface view, port group view, VLANIF interface view.
Default Level
2: Configuration level.
Usage Guidelines
Usage Scenario
To prevent ARP entries from being exhausted by ARP attacks from a host connecting to an interface on the device, set the maximum number of ARP entries that the interface can dynamically learn. When the number of the ARP entries learned by a specified interface reaches the maximum number, no dynamic ARP entry can be added.
Precautions
If the number of ARP entries learned by an interface exceeds the maximum number, the device neither learns new ARP entries nor clears the learned ARP entries. Instead, the device asks users to delete the excess ARP entries.
Example
# Configure that VLANIF 10 can dynamically learn a maximum of 20 ARP entries.
<HUAWEI> system-view [HUAWEI] interface vlanif 10 [HUAWEI-Vlanif10] arp-limit maximum 20
# Configure that GE0/0/1 can dynamically learn a maximum of 20 ARP entries corresponding to VLAN 10.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp-limit vlan 10 maximum 20
In this article, we selected the most important part of the ARP security, commands, usage guidelines and precautions to introduce. For more information, please refer to this article: ARP Security Configuration Commands_part 2