arp-safeguard enable

Usage Scenario

A device sends ARP request packets to request ARP information from other devices and receives ARP reply packets in response to their ARP request packets. ARP request packets can be freely transmitted on a network and ARP attack packets are difficult to identify. Statistics show that the number of ARP request packets is almost equal to the number of ARP reply packets.

ARP reply packets received on a device are legitimate if they are in response to the ARP request packets the device sends. ARP bidirectional isolation applies to the scenario in which a large number of ARP attack packets are received in a short period. You can run the arp-safeguard enable command to enable ARP bidirectional isolation. ARP bidirectional isolation implements the following functions:

• ARP request packets are replied to only on the forwarding plane, without being sent to the CPU for processing. ARP entries and status information will not be generated for ARP request packets.
• Only ARP reply packets received on a device in response to the ARP request packets the device sends are sent to the CPU for processing. The other ARP reply packets will be discarded.

Configuration Impact

ARP bidirectional isolation is mutually exclusive to of L2VPN and proxy ARP. Before configuring ARP bidirectional isolation, delete L2VPN and proxy ARP configurations, if present.