No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring ARP

Configuring ARP

This section describes how to configure Address Resolution Protocol (ARP).

Configuring Static ARP

Static ARP entries improve communication security.

Context

Static ARP entries are manually configured and maintained. They cannot be aged and overridden by dynamic ARP entries. Therefore, static ARP entries improve communication security. Static ARP entries ensure communication between the local device and a specified device by using a specified MAC address so that attackers cannot modify mappings between IP addresses and MAC addresses in static ARP entries.

NOTE:

Static ARP entries cannot be modified. However, the configuration workload is heavy. Static ARP entries cannot apply to a network where IP addresses of hosts may change or a small-sized network.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    arp static ip-address mac-address [ vid vlan-id [ interface interface-type interface-number ] ]

    A static ARP entry is configured.

Checking the Configuration

After configuring the static ARP entries is complete, run the following commands to check the configuration.

  • Run the display arp [ all | brief ] command to check all ARP mapping entries.

  • Run the display arp network net-number [ net-mask | mask-length ] [ dynamic | static ] command to check ARP mapping entries of a specified network segment.

  • Run the display arp static command to check static ARP mapping entries.

  • Run the display arp interface interface-type interface-number command to check ARP mapping entries of a specified interface.

Optimizing Dynamic ARP

By default, hosts and access point dynamically learn ARP entries. You can adjust parameters of dynamic ARP entries based on network requirements.

Pre-configuration Tasks

Before optimizing dynamic ARP, complete the following tasks:

  • Setting link layer protocol parameters for interfaces to ensure that the link layer protocol status of the interfaces is Up

Adjusting Aging Parameters of Dynamic ARP Entries

Context

Aging parameters of ARP entries include the aging time, the number of probes, and detection modes. Proper adjustment of aging parameters improves network reliability.

You can adjust the following parameters of dynamic ARP entries:
  • Aging time of dynamic ARP entries: When the aging time of a dynamic ARP entry is reached, the device sends an ARP Request packet to the corresponding outbound interface and starts ARP aging detection.

  • Number of aging probes to dynamic ARP entries: Before aging a dynamic ARP entry, the system first performs probes. If no answer is received after the times of probes reach the upper limit, the ARP entry is deleted.

  • Aging detection modes of dynamic ARP entries: Before an ARP entry is aged, an interface sends an ARP aging probe packet.

    NOTE:
    • If the IP address of the peer device remains the same but the MAC address changes frequently, it is recommended that you configure ARP aging probe packets to be broadcast.
    • If the MAC address of the peer device remains the same, and the network bandwidth is insufficient, it is recommended that you configure ARP aging probe packets to be unicast.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. Run:

    arp expire-time expire-time

    The aging time of dynamic ARP entries is set.

    By default, the aging time of dynamic ARP entries is 1200 seconds, that is, 20 minutes.

  4. Run:

    arp detect-times detect-times

    The number of probes to dynamic ARP entries is set.

    By default, the number of ARP probes is 3.

  5. Run:

    arp detect-mode unicast

    An interface is configured to send ARP aging probe packets in unicast mode.

    By default, an interface sends ARP aging probe packets in broadcast mode.

Enabling ARP Suppression Function

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    arp-suppress enable

    ARP suppression is enabled on the current device.

    By default, ARP suppression is disabled but is enabled on VLANIF interfaces.

Enabling Layer 2 Topology Detection

Context

Layer 2 topology detection enables the system to update all the ARP entries in the VLAN that a Layer 2 interface belongs to when the Layer 2 interface status changes from Down to Up.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    l2-topology detect enable

    Layer 2 topology detection is enabled.

    By default, Layer 2 topology detection is disabled.

Configuring Unicast ARP Probe
Background Information
To improve network security, some devices do not support broadcast packets.
  • Before an ARP entry ages out, the local device broadcasts an ARP request packet in an attempt to update the ARP entry based on the reply from a peer device. If the peer device does not support broadcast packets, it does not respond to the broadcast ARP request packet, so the local device considers the peer device offline and deletes the ARP entry. As a result, services will be interrupted between the two devices.
  • If the local device is new, it will broadcast an ARP request packet to learn the MAC addresses of other devices. If a peer device does not support broadcast packets, it will discard the ARP request packet, so the local device will not learn the peer device's MAC address. As a result, new services will not be started between the two devices.
To resolve these problems, enable the unicast ARP probe function. This function enables a local interface to send a unicast ARP request packet that carries the specified IP and MAC addresses. The unicast ARP probe function improves network security, without compromising service stability. The ARP entries learned or updated by the local device will be deleted after their aging time expires and can be updated again after the local device receives ARP request packets from the peer device.

Procedure

  • Run:

    arp send-packet ip-address mac-address interface interface-type interface-number [ vid vid ]

    The unicast ARP probe function is configured.

Checking the Configuration
Procedure
  • Run the display arp [ all | brief ] command to check all ARP mapping entries.

  • Run the display arp interface interface-type interface-number command to check ARP mapping entries of a specified interface.

  • Run the display arp network net-number [ net-mask | mask-length ] [ dynamic | static ] command to check ARP mapping entries of a specified network segment.

  • Run the display arp dynamic command to check dynamic ARP mapping entries.

Configuring ARP Automatic Scanning and Fixed ARP

ARP automatic scanning and fixed ARP enable a device to generate dynamic ARP entries and convert the dynamic ARP entries to static ARP entries.

Background Information

To improve communication security, network administrators generally configure static ARP entries on a small-sized LAN. However, if a gateway has multiple users attached, a network administrator has to configure static ARP entries for each user. Current networks use dynamic ARP for communication.

Dynamic ARP helps reduce a network administrator's workload but has its own limitations. Dynamic ARP entries can be overwritten by subsequent ARP entries and are vulnerable to network attacks. Therefore, dynamic ARP cannot provide reliability for network communications.

ARP automatic scanning is generally used with fixed ARP to defend against network attacks:
  • After ARP automatic scanning is configured, a device automatically scans all its neighbor devices on a LAN. The device sends ARP request packets to its neighbor devices, obtains the MAC addresses of its neighbor devices, and generates dynamic ARP entries.
  • After fixed ARP is configured, the device converts these dynamic ARP entries to static ARP entries.
Pre-configuration Tasks

Before configuring ARP automatic scanning and fixed ARP, create a VLANIF interface.

Data Preparation
To configure ARP automatic scanning and fixed ARP, you need the following data.

No.

Data

1 Start IP address for ARP automatic scanning
2 End IP address for ARP automatic scanning

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface vlanif vlan-id

    The VLANIF interface view is displayed.

    NOTE:
    Before you configure ARP automatic scanning and fixed ARP, run the display arp all command to check all ARP entries of the device. This allows you to compare the number and types of ARP entries before and after ARP automatic scanning and fixed ARP are configured.
    <Huawei> display arp all
    IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE INTERFACE      VPN-INSTANCE      
                                              VLAN                                  
    ------------------------------------------------------------------------------  
    169.254.1.1     0053-6721-9e00            I -  Vlanif1                          
    172.168.129.100 0053-6721-9e00            I -  Vlanif2001                       
    172.168.129.129 4c1f-cc05-e1a3  20        D-0  GE0/0/0                          
                                              2001                                  
    ------------------------------------------------------------------------------  
    Total:3         Dynamic:1       Static:0     Interface:2                   

  3. Run:

    arp scan [ start-ip-address to end-ip-address ]

    ARP automatic scanning is configured.

    NOTE:
    After you configure ARP automatic scanning and before you configure fixed ARP, run the display arp all command to check all ARP entries of the device. If only the number of ARP entries increases, the ARP automatic scanning configuration takes effect.
    <Huawei> display arp all
    IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE INTERFACE      VPN-INSTANCE      
                                              VLAN                                  
    ------------------------------------------------------------------------------  
    169.254.1.1     0053-6721-9e00            I -  Vlanif1                          
    172.168.129.100 0053-6721-9e00            I -  Vlanif2001                       
    172.168.129.129 4c1f-cc05-e1a3  20        D-0  GE0/0/0                          
                                              2001                                  
    172.168.129.106 0000-0a88-3778  19        D-0  GE0/0/0 
                                              2001                            
    ------------------------------------------------------------------------------  
    Total:4        Dynamic:2       Static:0     Interface:2                        

  4. Run:

    arp fixup

    Fixed ARP is configured.

Checking the Configurations

After the configuration is complete, run the display arp all command to check the configurations of ARP automatic scanning and fixed ARP and compare the number and types of ARP entries before and after ARP automatic scanning and fixed ARP are configured.

<Huawei> display arp all
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE INTERFACE      VPN-INSTANCE      
                                          VLAN                                  
------------------------------------------------------------------------------  
169.254.1.1     0053-6721-9e00            I -  Vlanif1                          
172.168.129.100 0053-6721-9e00            I -  Vlanif2001                       
172.168.129.129 4c1f-cc05-e1a3            S--  GE0/0/0                          
                                          2001                                  
172.168.129.106 0000-0a88-3778            S--  GE0/0/0                          
                                          2001                                  
------------------------------------------------------------------------------  
Total:4        Dynamic:0       Static:2     Interface:2                        

Configuring Proxy ARP

The access point can function as a proxy of the destination host to reply an ARP Request message.

Pre-configuration Tasks

Before configuring proxy ARP, complete the following task:

  • Setting link layer protocol parameters for interfaces to ensure that the link layer protocol status of the interfaces is Up

Configuring Routed Proxy ARP

Context

Proxy ARP enables PCs or access points on the same network segment but on different physical networks to communicate. In actual applications, if the current STA connected to the access point is not configured with a default gateway address (that is, the STA does not know how to reach the intermediate system of the network), the STA cannot forward data packets. Routed proxy ARP solves this problem.

Figure 7-63 shows the routed proxy ARP networking. AP uses VLAN10 and VLAN20 to connect two networks. IP addresses of the two VLAN interfaces are on different network segments. However, the masks make STA1 and VLANIF10 on the same network segment, STA2 and VLANIF20 on the same network segment, and STA1 and STA2 on the same network segment.

Figure 7-63  Networking diagram for configuring routed proxy ARP

STA1 sends an ARP Request packet, requesting the MAC address of STA2. After receiving the packet, AP uses its MAC address to reply the Request packet. STA1 then forwards data using the MAC address of AP.

IP addresses of the STAs on a subnet have the same network ID. Therefore, the default gateway address does not need to be configured on the STAs.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

    On the device, routing proxy ARP can only be enabled on VLANIF interfaces.

  3. Run:

    ip address ip-address { mask | mask-length }

    IP addresses are configured for interfaces.

    The IP address configured for the interface enabled with routed proxy ARP must be on the same network segment as the IP address of the connected STAserver on a LAN.

  4. Run:

    arp-proxy enable

    Routed proxy ARP is enabled on the interface.

    After proxy ARP is enabled, the aging time of ARP entries on STAs should be shortened so that invalid ARP entries can be deleted as soon as possible. The number of packets received but cannot be forwarded by the device is decreased. To set ARP aging time, run the arp expire-time expire-time command.

Checking the Configuration

After configuring routed proxy ARP is complete, run the following commands to check the configuration.

  • Run the display arp interface interface-type interface-number command to check ARP mapping entries of a specified interface.

Configuring Intra-VLAN Proxy ARP

Context

If two STAs belong to the same VLAN but are isolated, enable intra-VLAN proxy ARP on an interface associated with the VLAN to allow the STAs to communicate.

As shown in Figure 7-64, STA1 and STA2 connect to AP1. The two interfaces that connect STA1 and STA2 to AP1 belong to VLAN10.

Figure 7-64  Intra-VLAN proxy ARP application

STA1 and STA2 cannot communicate at Layer 2 because interface isolation in a VLAN is configured on AP1.

To solve this problem, enable intra-VLAN proxy ARP on the interfaces of AP1. After an interface of AP1 receives an ARP Request packet whose destination address is STA2 and source address is STA1, AP1 does not discard the packet but searches for the ARP entry. If the ARP entry matching STA2 exists, AP1 sends its MAC address to STA1 and forwards packets sent from STA1 to STA2. AP1 functions as the proxy of STA2.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

    On the device, Intra-VLAN Proxy ARP can only be enabled on VLANIF interfaces.

  3. Run:

    arp-proxy inner-sub-vlan-proxy enable

    Intra-VLAN proxy ARP is enabled.

Checking the Configuration

After configuring intra-VLAN proxy ARP is complete, run the following commands to check the configuration.

  • Run the display arp interface interface-type interface-number command to check ARP mapping entries of a specified interface.

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 118493

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next