arp static
Function
The arp static command configures a static ARP entry.
The undo arp static command deletes a static ARP entry.
By default, the ARP table is empty and address mappings are obtained using dynamic ARP.
Format
arp static ip-address mac-address [ vpn-instance vpn-instance-name ]
arp static ip-address mac-address interface interface-type interface-number[.subinterface-number ]
arp static ip-address mac-address vid vlan-id [ cevid ce-vid ] interface interface-type interface-number[.subinterface-number ]
undo arp static ip-address [ mac-address ] [ vpn-instance vpn-instance-name ]
undo arp static ip-address mac-address interface interface-type interface-number[.subinterface-number ]
undo arp static ip-address [ mac-address ] vid vlan-id [ cevid ce-vid ] interface interface-type interface-number[.subinterface-number ]
Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support cevid ce-vid and subinterface-number.
Parameters
| Parameter | Description | Value |
|---|---|---|
ip-address |
Specifies the IP address in a static ARP entry. |
The value is in dotted decimal notation. |
mac-address |
Specifies the MAC address in a static ARP entry. |
The value is in the H-H-H format. An H contains 1 to 4 hexadecimal digits. |
vpn-instance vpn-instance-name |
Specifies the name of a VPN instance. NOTE:
After the name of a VPN instance is specified, the device can automatically learn the outbound interface, with no need for specifying it. |
The value must be an existing VPN instance name. |
interface interface-type interface-number[.subinterface-number ] |
Specifies the outbound interface in a static ARP entry.
NOTE:
If the IP address corresponding to the specified ARP entry belongs to the VPN, an outbound interface cannot be specified. |
- |
vid vlan-id |
Specifies the ID of the VLAN to which a static ARP entry belongs. |
The value is an integer that ranges from 1 to 4094. |
cevid ce-vid |
Specifies the inner VLAN ID. |
The value is an integer that ranges from 1 to 4094. |
Usage Guidelines
Usage Scenario
In most cases, devices on a network can use ARP to dynamically learn ARP entries and age or update the generated dynamic ARP entries. However, when a network encounters an ARP attack, the dynamic ARP entries may be incorrectly updated or aged. As a result, the communication between authorized users becomes abnormal.
Static ARP entries can be neither aged nor overwritten by dynamic ARP entries, ensuring communication security. If a static ARP entry is configured on a device, the device can communicate with the peer device using only the specified MAC address. Network attackers cannot modify the mapping between the IP and MAC addresses using ARP packets, ensuring communication between the two devices. Static ARP entries are generally configured on gateways.
- Networks contain critical devices such as servers. In this case, static ARP entries can be configured on the switch. As such, network attackers cannot update the ARP entries containing IP addresses of the critical devices on the switch using ARP attack packets, thereby ensuring communication between users and the critical devices.
- Networks contain user devices with multicast MAC addresses. In this case, static ARP entries can be configured on the switch. In doing so, a device, by default, does not learn ARP entries when the source MAC addresses of received ARP packets are multicast MAC addresses.
- A network administrator wants to prevent an IP address from accessing devices. In this case, static ARP entries can be configured on the switch to bind the IP address to an unavailable MAC address.
An ARP entry includes the IP address, the MAC address, and the outbound interface as well as the outer and inner VLAN tags. The switch can add two VLAN tags to the packets according to the ARP entry during packet forwarding.
Precautions
When the outbound interface is a Layer 2 Ethernet interface, run the arp static ip-address mac-address vid vlan-id [ cevid ce-vid ] interface interface-type interface-number [.subinterface-number ] command.
When a static ARP entry is configured for a QinQ termination sub-interface, vid specified in this command must be the same as pe-vid in the qinq termination pe-vid ce-vid command, and cevid in this command must be within the value range of ce-vid in the qinq termination pe-vid ce-vid command.
- When the outbound interface is a Layer 3 Ethernet interface, run the arp static ip-address mac-address interface interface-type interface-number command.
- When the VPN instance mapping the ARP entries needs to be specified, run the arp static ip-address mac-address vpn-instance vpn-instance-name command.
- When short static ARP entries need to be configured (for example, if the device is connected to an NLB cluster and multi-interface ARP is used), run the arp static ip-address mac-address command.
The IP address specified by ip-address must be in the same network segment as the IP address of the outbound interface specified by interface interface-type interface-number.
If a new static ARP entry is duplicate with an existing one, the system updates the entry.
You can run the arp static command multiple times to configure static ARP entries one by one, or run the arp scan and arp fixup commands to configure multiple static ARP entries at one time.
Example
# Configure a static ARP entry that maps the IP address 10.0.0.1 to the MAC address aaaa-fccc-1212.
<HUAWEI> system-view [HUAWEI] arp static 10.0.0.1 aaaa-fccc-1212
# Configure a static ARP entry that maps the IP address 10.1.1.1 to the MAC address 0efc-0505-86e3. This entry belongs to VLAN 10 and its outbound interface is GE0/0/1.
<HUAWEI> system-view [HUAWEI] arp static 10.1.1.1 0efc-0505-86e3 vid 10 interface gigabitethernet 0/0/1
# Configure a static ARP entry that maps the IP address 10.1.1.1 to the MAC address 0efc-0505-86e3. This entry belongs to the VPN instance vpn1.
<HUAWEI> system-view [HUAWEI] ip vpn-instance vpn1 [HUAWEI-vpn-instance-vpn1] ipv4-family [HUAWEI-vpn-instance-vpn1-af-ipv4] quit [HUAWEI-vpn-instance-vpn1] quit [HUAWEI] arp static 10.1.1.1 0efc-0505-86e3 vpn-instance vpn1