< Home

arp-limit

Function

The arp-limit command sets the maximum number of ARP entries that an interface can dynamically learn.

The undo arp-limit command deletes the maximum number of ARP entries that an interface can dynamically learn.

By default, the maximum number of ARP entries that an interface can dynamically learn is the same as the number of ARP entries supported by the device.

Format

VLANIF interface, VBDIF interface, VE sub-interface, Layer 3 interface, and Ethernet sub-interface:

arp-limit maximum maximum

undo arp-limit

VE sub-interface, Layer 2 interface and port group:

arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum maximum

undo arp-limit vlan vlan-id1 [ to vlan-id2 ]

Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support Layer 3 interfaces and sub-interfaces.

Only the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S support VE sub-interfaces.

Parameters

Parameter

Description

Value

vlan vlan-id1 [ to vlan-id2 ]

Specifies the ID of a VLAN from which the maximum number of ARP entries an interface can dynamically learn is limited.

  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1. vlan-id1 and vlan-id2 specify a range of VLANs. If to vlan-id2 is not specified, the device limits the maximum number of ARP entries an interface dynamically learns from the VLAN vlan-id1. If to vlan-id2 is specified, the device limits the maximum number of ARP entries an interface dynamically learns from each VLAN from vlan-id1 to vlan-id2.

The values of vlan-id1 and vlan-id2 are integers that range from 1 to 4094.

maximum maximum

Specifies the maximum number of ARP entries that an interface can dynamically learn.
The integer form, in pps, is as follows:
  • S2720-EI, S5720-LI, S5720S-LI: 1 to 2048
  • S5720I-SI, S5720-SI, S5720S-SI, S5735-L, S5735S-L, S5735S-L-M: 1 to 4096
  • S5735-S, S5735S-S, S5735-S-I: 1 to 8000
  • S5720-EI, S5731-S, S5731S-S: 1 to 16384
  • S5720-HI, S5730-HI, S5731-H, S5731S-H: 1 to 61440
  • S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S: 1 to 65536
  • S5730-SI, S5730S-EI, S6720-SI, S6720S-SI: 1 to 20000
  • S6720-LI, S6720S-LI: 1 to 8192
  • S6720-EI, S6720S-EI: 1 to 131072

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent ARP entries from being exhausted by ARP attacks from a host connecting to an interface on the device, set the maximum number of ARP entries that the interface can dynamically learn. When the number of the ARP entries learned by a specified interface reaches the maximum number, no dynamic ARP entry can be added.

Precautions

If the number of ARP entries learned by an interface exceeds the maximum number, the device neither learns new ARP entries nor clears the learned ARP entries. Instead, the device asks users to delete the excess ARP entries.

If the arp-limit vlan vlan-id1 to vlan-id2 maximum maximum command is run more than once, the following situations are available:
  • If maximum maximum is the same in multiple command instances, all configurations take effect. For example, if the arp-limit vlan 10 to 30 maximum 200 command and then the arp-limit vlan 35 to 40 maximum 200 command are run, both configurations take effect. If the VLAN ranges specified in multiple command instances are overlapping, the system automatically merges the VLAN ranges. For example, if the arp-limit vlan 50 to 80 maximum 200 command and then the arp-limit vlan 70 to 100 maximum 200 command are run, both configurations take effect, and the system merges the configurations into arp-limit vlan 50 to 100 maximum 200.
  • If maximum maximum is different in multiple command instances, the latest configuration overrides the previous one for the same VLAN range. For example, if the arp-limit vlan 10 to 30 maximum 200 command and then the arp-limit vlan 15 to 25 maximum 300 command are run, the system automatically divides the configurations into arp-limit vlan 10 to 14 maximum 200, arp-limit vlan 15 to 25 maximum 300, and arp-limit vlan 26 to 30 maximum 200.

Example

# Configure that VLANIF 10 can dynamically learn a maximum of 20 ARP entries.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp-limit maximum 20
# Configure that Layer 3 interface GE0/0/1 can dynamically learn a maximum of 20 ARP entries.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-limit maximum 20
# Configure that Layer 2 interface GE0/0/1 can dynamically learn a maximum of 20 ARP entries corresponding to VLAN 10.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-limit vlan 10 maximum 20
Parent Topic: ARP Security Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >