Using the arp-limit command, you can limit the maximum number of dynamic Address Resolution Protocol (ARP) entries that an interface can learn.
Using the undo arp-limit command, you can restore the default setting.
By default, the maximum number of dynamic ARP entries that an interface can learn is 262144.
| Parameter | Description | Value |
|---|---|---|
| vlan-id1 | Specifies the ID of the VLAN for which ARP entry learning is restricted. |
The value is an integer ranging from 1 to 4094. This parameter must be configured only in the Layer 2 interface view and QinQ sub-interface view. If you configure this parameter in the QinQ sub-interface view, vlan-id specifies the outer VLAN ID of the QinQ sub-interface. The value of <vlan-id2> must be greater than that of <vlan-id1>. |
| vlan-id2 | Specifies the ID of the VLAN for which ARP entry learning is restricted. |
The value is an integer ranging from 1 to 4094. This parameter must be configured only in the Layer 2 interface view and QinQ sub-interface view. If you configure this parameter in the QinQ sub-interface view, vlan-id specifies the outer VLAN ID of the QinQ sub-interface. The value of <vlan-id2> must be greater than that of <vlan-id1>. |
| maximum maximum | Specifies the maximum number of the ARP entries that the interface can learn. |
The value is an integer ranging from 1 to 262144. The value range of this parameter is controlled by the PAF. After the PAF is loaded, the value range of this parameter is from 1 to 344064. |
Layer 2 100GE interface view, 100ge sub-interface view, Layer 2 10GE interface view, 10GE sub-interface view, 200GE sub-interface view, 25GE-L2 view, 25GE sub-interface view, 400GE-L2 view, 400GE sub-interface view, Layer 2 40GE interface view, 40GE sub-interface view, Layer 2 50GE interface view, 50GE sub-interface view, Eth-Trunk sub-interface view, Eth-Trunk interface view, Layer 2 GE interface view, GE sub-interface view, GE electrical interface view, Global VE sub-interface view, PW-VE sub-interface view, VE sub-interface view
Usage Scenario
If an unauthorized user sends a large number of ARP messages to a device, the device learns a large number of ARP entries in a short period of time, causing the ARP buffer to overflow. As a result, normal operation of the network is affected. To address such a problem, you can set the maximum number of ARP entries that each interface can learn.
Configuration Impact
If the number of ARP entries that an interface can learn changes, and the number of the learned ARP entries exceeds the changed value, the interface cannot learn additional ARP entries. You can delete the excess ARP entries based on the system prompt.
If this command is run more than once, all configurations take effect.Precautions
The Ethernet interface, GE interface, VE interface, or Eth-trunk interface can be used as a Layer 3 interface or a Layer 2 interface. vlan-id cannot be configured for the Layer 3 interface. vlan-id is required for the Layer 2 interface.
Ethernet sub-interface, GE sub-interface, or Eth-Trunk sub-interface can be a common sub-interface or a QinQ sub-interface. For a common QinQ sub-interface, vlan-id is unavailable. For a QinQ sub-interface, vlan-id is required as the outer VLAN ID of the QinQ sub-interface. If a common sub-interface is limited in ARP entry learning and configured as a QinQ sub-interface, the ARP learning limit is deleted. If a QinQ sub-interface is limited in ARP entry learning and the QinQ configuration is deleted from the sub-interface, the ARP learning limit is unavailable.