Configuring the Device Not to Send ARP Packets Destined for Other Devices to the CPU

If an interface receives a large number of ARP packets whose destination IP addresses are different from the IP address of this interface and sends these ARP packets to the CPU for processing, the CPU usage is high and the CPU cannot process services properly.

To prevent this issue, you can configure the device to directly forward ARP packets destined for other devices without sending them to the CPU. This improves the device's capability of defending against ARP flood attacks.

Only the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this command.

Procedure

1. Run system-view

   The system view is displayed.

2. Run interface vlanif vlan-id

   The VLANIF interface view is displayed.

3. Run arp optimized-passby enable

   The device is configured not to send ARP packets destined for other devices to the CPU.

   By default, a device does not send ARP packets destined for other devices to the CPU.

   If any of the following configurations is performed, the configuration of disabling the device from sending ARP packets destined for other devices to the CPU does not take effect on a VLANIF interface:

   • Run the arp anti-attack gateway-duplicate enable to enable ARP gateway anti-collision.
   • Run the arp ip-conflict-detect enable command to enable IP address conflict detection.
   • Run the arp anti-attack check user-bind enable command to enable the dynamic ARP inspection (DAI) function.
   • Run the dhcp snooping arp security enable command to enable the egress ARP inspection (EAI) function.
   • Run the arp over-vpls enable command to enable proxy ARP on a VPLS network.
   • Run the arp-proxy enable command to enable routed proxy ARP.
   • Run the arp-proxy inner-sub-vlan-proxy enable command to enable intra-VLAN proxy ARP.
   • Run the arp-proxy inter-sub-vlan-proxy enable command to enable inter-VLAN proxy ARP.
   • Perform an NAC-related configuration. For details, see the User Access and Authentication Configuration Guide.