arp fixup
Function
The arp fixup command configures fixed ARP and converts the dynamic ARP entries learned by the device into static ARP entries.
Views
VLANIF interface view, GE interface view, GE sub-interface view, MultiGE interface view, MultiGE sub-interface view, 40GE interface view, 40GE sub-interface view, XGE interface view, 25GE interface view, XGE sub-interface view, 25GE sub-interface view, 100GE interface view, 100GE sub-interface view, Eth-Trunk interface view, or Eth-Trunk sub-interface view
Usage Guidelines
Usage Scenario
To prevent attackers from forging ARP packets and modifying dynamic ARP entries on the device, you can run the arp fixup command on interfaces to configure fixed ARP and convert the dynamic ARP entries learned by the device into static ARP entries.
Fixed ARP is used together with ARP automatic scanning. Run the arp scan command to configure ARP automatic scanning so that the device can obtain the dynamic ARP entries from the devices in the network. Then run the arp fixup command to configure fixed ARP so that the device converts the obtained dynamic ARP entries to static ARP entries to prevent network attacks.
Prerequisites
On an Ethernet interface working in Layer 2 mode, the undo portswitch command has been run to switch the interface to Layer 3 mode.
Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support switching between Layer 2 and Layer 3 modes.
Precautions
- The number of static ARP entries converted through fixed ARP depends on the number of static ARP entries supported on the device. When the number of dynamic ARP entries exceeds the maximum value supported on the device, excess dynamic ARP entries will not be converted and the system displays an error message.
- The static ARP entries converted through fixed ARP are the same as the configured ARP entries. You can run the undo arp static command to delete each entry or reset arp static to delete all the entries.