If an attacker forges ARP packets, the device learns incorrect ARP snooping entries. As a result, users cannot receive data packets. To prevent this problem, you can enable the ARP snooping entry fixing function on the device. Once the device enabled with this function learns an ARP snooping entry, it does not update the ARP snooping entry, only updates some information in the ARP snooping entry, or sends a unicast ARP Request packet to check the validity of the new ARP snooping entry. The device provides three ARP snooping entry fixing modes, which are applicable to different scenarios and are mutually exclusive.
- fixed-mac: This mode applies to networks where user MAC addresses are unchanged but user access locations often change. When a user connects to a different interface on the device, the device updates interface information in the ARP snooping entry of the user timely.
- fixed-all: This mode applies to networks where user MAC addresses and user access locations are fixed.
- send-ack: This mode applies to networks where user MAC addresses and user access locations often change.