dhcp snooping arp security isolate-forwarding-trust

Usage Scenario

This function applies to the following scenario: A device is deployed between an upstream Layer 3 switch and user hosts. The user hosts belong to the same VLAN, connect to the network through user-side interfaces of the device, and obtain IP addresses through DHCP. Port isolation is configured on the interfaces of the user hosts and intra-VLAN ARP proxy is configured on the Layer 3 switch. This implements Layer 2 isolation and Layer 3 communication between isolated users in the VLAN.

If EAI is also configured on the device, when receiving an ARP Request packet from a user host requesting for another user host, the device matches the destination IP address of the packet with dynamic DHCP snooping binding entries to determine the outbound interface of the packet. If the destination IP address matches an entry, the device directly sends the packet to the destination interface (that is, the interface on the requested user host). If the destination interface is isolated from the inbound interface of the packet, the device discards the packet and the isolated users cannot communicate with each other.

To address this problem, run the dhcp snooping arp security isolate-forwarding-trust command. The device then directly forwards the ARP packet to a trusted interface (that is, the interface on the Layer 3 switch). In this case, the intra-VLAN ARP proxy function on the Layer 3 switch allows the isolated users to communicate with each other.

Prerequisites

EAI has been enabled using the dhcp snooping arp security enable command.