< Home

dhcp snooping arp security enable

Function

The dhcp snooping arp security enable command enables the egress ARP inspection (EAI) function.

The undo dhcp snooping arp security enable command disables the EAI function.

By default, EAI is disabled.

Format

dhcp snooping arp security enable

undo dhcp snooping arp security enable

Parameters

None

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

EAI applies to the following scenario: A device is deployed between an upstream Layer 3 switch and user hosts. The user hosts belong to the same VLAN, connect to the network through user-side interfaces of the device, and obtain IP addresses through DHCP.

If the device broadcasts ARP Request packets in the VLAN, the traffic volume in the VLAN increases. To reduce network loads in the VLAN, enable EAI in this VLAN on the device. The EAI function must be used together with DHCP snooping.

After EAI is enabled, the device matches the destination IP address of a received ARP Request packet with DHCP snooping binding entries to determine the outbound interface for the packet.

  • If the destination IP address matches an entry, the device directly sends the packet to the mapping outbound interface. (However, if the outbound interface is the same as the inbound interface of the packet, the device discards the packet.)

  • If the destination IP address does not match an entry, the device determines whether the packet is sent from a trusted interface. (In DHCP snooping, the interfaces connecting the device to the DHCP server are deployed as trusted interfaces.)

    • If the packet is sent from a trusted interface, the device forwards the packet from other trusted interfaces. (If there is no other trusted interface, the device discards the packet.)
    • If the packet is not sent from a trusted interface, the device forwards the packet from a trusted interface.

DHCP snooping allows a physical interface to be configured as a trusted or untrusted interface. The interfaces connected to the authorized DHCP server are configured as trusted interfaces, and other interfaces as untrusted interfaces. After DHCP snooping is enabled, all interfaces are considered as untrusted interfaces by default.

Precautions

Because the EAI function must be used together with the DHCP snooping function, run the dhcp snooping enable command to enable the DHCP snooping function.

After EAI is enabled, the device sends all the received ARP packets to the CPU for software forwarding, which degrades the ARP packet forwarding performance.

The MFF function is implemented based on ARP proxy, whereas the EAI function is implemented based on ARP request packet forwarding. Therefore, the two functions conflict with each other. If you have enabled both MFF and EAI in the same VLAN, the MFF function takes effect.

EAI enabled in a super VLAN does not take effect.

If a VLANIF interface is created for a VLAN enabled with EAI, EAI does not take effect on the VLAN.

Example

# Enable EAI.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable
[HUAWEI-vlan100] dhcp snooping arp security enable
Parent Topic: ARP Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >