No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ARP Configuration Commands

ARP Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

arp auto-scan enable

Function

The arp auto-scan enable command enables automatic ARP scanning on a sub-interface.

The undo arp auto-scan enable command disables automatic ARP scanning on a sub-interface.

By default, automatic ARP scanning is disabled on a sub-interface.

NOTE:

Only the S5720HI supports this command.

Format

arp auto-scan enable

undo arp auto-scan enable

Parameters

None

Views

GE sub-interface view, XGE sub-interface view, Eth-Trunk sub-interface view, VE sub-interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After automatic ARP scanning is enabled on a sub-interface of which the IP address mask is larger than or equal to 24 bits and the protocol status is Up, the switch scans IP addresses on the network segment where the sub-interface's primary IP address belongs and learns ARP entries of the remote device immediately.

Precautions

Automatic ARP scanning can be enabled on a maximum of 512 sub-interfaces of a switch simultaneously. If automatic ARP scanning is enabled on multiple interfaces simultaneously and the protocol status of the sub-interfaces are Up, the switch sends detection packets to the sub-interfaces, causing a high CPU usage.

To prevent the delay of the interface Up event caused by loop detection, the switch enabled with automatic ARP scanning sends detection packets after a delay of 10s.

Example

# Enable automatic ARP scanning.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1.10
[HUAWEI-GigabitEthernet0/0/1.10] arp auto-scan enable

arp broadcast disable (VLANIF interface view)

Function

The arp broadcast disable command disables a VLANIF interface from broadcasting ARP packets.

The undo arp broadcast disable command enables a VLANIF interface to broadcast ARP packets.

By default, VLANIF interfaces are enabled to broadcast ARP packets.

NOTE:

Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support this command.

Format

arp broadcast disable

undo arp broadcast disable

Parameters

None

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, a VLANIF interface broadcasts ARP packets in a VLAN. For example, on the large Layer 2 aggregation network shown in Figure 6-1, user hosts connect to CE1 through CE100 to access the aggregation device PE that has VLANIF10 configured as the user gateway. As VLANIF10 by default broadcasts ARP packets, these ARP packets are flooded on the user network, consuming a large number of network resources, which affects services and gateway performance.

Figure 6-1  Layer 2 aggregation network

To ensure user services and aggregation gateway performance, run the arp broadcast disable command to disable the aggregation gateway's VLANIF interface from broadcasting ARP packets.

Precautions

Exercise caution when disabling a VLANIF interface from broadcasting ARP packets because this affects the following scenarios in the following ways:
  • Proxy ARP scenarios, including intra-VLAN proxy ARP and inter-VLAN proxy ARP

    After a VLANIF interface is disabled from broadcasting ARP packets, the proxy does not forward ARP Request messages from a host to their destinations even if all proxy conditions are met. As a result, proxy ARP fails.

  • Scenarios in which hosts send unicast packets

    For example, in ping operations, ICMP Echo Request messages must be encapsulated with MAC addresses mapped to the destination IP addresses. If the host does not have ARP entries, it must send ARP Request messages to learn the MAC address mapped to the destination IP address. However, the VLANIF interface is disabled from broadcasting ARP packets, and therefore cannot send ARP Request messages. Subsequently, the host cannot obtain the MAC address mapped to the destination IP address, causing a ping operation failure. This problem also occurs in other scenarios in which hosts send unicast packets.

  • Strict ARP learning scenarios

    In a strict ARP learning scenario, a device learns MAC addresses only of ARP Reply messages in response to ARP request messages that it sends. If the VLANIF interface is disabled from broadcasting ARP packets, it cannot actively send ARP Request messages. As a result, strict ARP learning fails.

  • VLAN aggregation scenarios

    If the VLANIF interface is disabled from broadcasting ARP packets, the super VLAN will not broadcast ARP packets to all its sub-VLANs.

After a VLANIF interface is disabled from broadcasting ARP packets, gratuitous ARP packets will still be sent normally.

Switching between enabling and disabling the ARP broadcasting function on a VLANIF interface will cause the direct routes to flap temporarily.

Example

# Disable VLANIF 10 from broadcasting ARP packets.

<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp broadcast disable
Warning: This operation will cause the device to fail to send ARP broadcast packets, continue?[Y/N]:y

arp detect-mode unicast

Function

The arp detect-mode unicast command configures an interface to send ARP aging probe packets in unicast mode.

The undo arp detect-mode unicast command restores the default ARP aging probe mode on an interface.

By default, an interface broadcasts only the last ARP aging probe packet, and unicasts other ARP aging probe packets.

Format

arp detect-mode unicast

undo arp detect-mode unicast

Parameters

None

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, VLANIF interface view, VBDIF interface view, VE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the aging time of a dynamic ARP entry on an interface expires, the switch sends an aging probe packet (ARP Request packet) from the interface. If the switch receives an ARP Reply packet, it updates this dynamic ARP entry and the aging probe ends. If the switch does not receive an ARP Reply packet after the configured aging probe attempts, it deletes the dynamic ARP entry and the aging probe ends. The aging probe packet can be a unicast or broadcast packet.

If a non-Huawei device receives an ARP aging probe packet with the destination MAC address as the broadcast address from a switch, but the ARP entry of the switch already exists in its ARP table, the non-Huawei device discards the ARP aging probe packet. Failing to receive an ARP Reply to the ARP aging probe packet, the switch deletes the corresponding ARP entry. As a result, the traffic from the network side is interrupted. To resolve this problem, the switch must be configured to send ARP aging probe packets in unicast mode, and the non-Huawei device must be configured to respond to unicast ARP aging probe packets.

Precautions

If the IP address of the peer device remains the same but the MAC address changes frequently, configuring an interface to send ARP aging probe packets in broadcast mode is recommended.

If the MAC address of the peer device remains the same, the network bandwidth is insufficient, and the aging time of ARP entries is set to a small value, configuring an interface to send ARP aging probe packets in unicast mode is recommended.

Example

# Configure the interface VLANIF 100 to unicast ARP aging probe packets.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp detect-mode unicast

arp detect-times

Function

The arp detect-times command sets the number of aging probes for dynamic ARP entries.

The undo arp detect-times command restores the default number of aging probes for dynamic ARP entries.

The default number of aging probes for dynamic ARP entries is 3.

Format

arp detect-times detect-times

undo arp detect-times

Parameters

Parameter Description Value
detect-times Specifies the number of aging probes for dynamic ARP entries. The value is an integer that ranges from 0 to 10. The default value is 3.

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, VLANIF interface view, VBDIF interface view, VE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In case that the mapping relationship between the IP address and the MAC address of the peer device exists in the ARP table of the local device, the local device will directly send data packets rather than ARP request packets to the peer device because the MAC address of the peer device exists in the ARP entry of the local device. If the peer device fails to work or a network card is changed but the local device is not informed of the fault or change, the local device will send data packets to its original destination MAC address. This causes the traffic to be interrupted.

Therefore, to enhance the communication reliability, run the arp detect-times command to set the aging probe times of a dynamic ARP entry to update the dynamic ARP entry.

After the aging time of a dynamic ARP entry on an interface expires, the switch sends an aging probe packet (ARP Request packet) from the interface. If the switch receives an ARP Reply packet, it updates this dynamic ARP entry and the aging probe ends. If the switch does not receive an ARP Reply packet after the configured aging probe attempts, it deletes the dynamic ARP entry and the aging probe ends.

Precautions

If the number of aging probes is set to 0, the device directly deletes expired dynamic ARP entries.

The arp detect-times command can be configured globally or on the specified interface. If the command is not configured on the interface, the aging detection times of a dynamic ARP entry will be the one configured globally. If the command is both configured globally and on the specified interface, the aging detection times of a dynamic ARP entry will be the one configured on the interface.

Example

# Set the number of aging probes for dynamic ARP entries on VLANIF 100 to 5.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp detect-times 5

arp direct-route enable

Function

The arp direct-route enable command enables the ARP module to send ARP Vlink direct routes to the Route Management Module(RM).

The undo arp direct-route enable command disables the ARP module from sending ARP Vlink direct routes to the RM module.

By default, the ARP module is disabled from sending ARP Vlink direct routes to the RM module.

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this command.

Format

arp direct-route enable

undo arp direct-route enable

Parameters

None

Views

GE sub-interface view, XGE sub-interface view, 40GE sub-interface view, Eth-Trunk sub-interface view, VE sub-interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ARP Vlink direct routes are 32-bit host routes that are generated based on ARP entries statically configured or dynamically learned.

In most cases, ARP Vlink direct routes are only used to guide local forwarding. To control the scale and maintain the stability of the routing table, the ARP module does not send ARP Vlink direct routes to the RM module.

In some scenarios, however, the device needs to perform operations based on specific routes of users. For example, the device needs to directly send the network traffic to specific user terminals, or route filtering is used to restrict inter-device communication.

In these scenarios, run the arp direct-route enable command to enable the ARP module to send ARP Vlink direct routes to the RM module. This configuration allows the device to select ARP Vlink direct routes based on longest match first to guide traffic forwarding, and accordingly accurately control downstream traffic, which improves the forwarding efficiency.

Follow-up Procedure

If you want the device to advertise ARP Vlink direct routes to upstream devices after you enable the ARP module to send ARP Vlink direct routes to the RM module, perform the following operations in sequence:
  1. Run the arp vlink-direct-route advertise command to configure the device to advertise ARP Vlink direct routes.
  2. Configure the device to import the ARP Vlink direct routes to the routing tables of the routing protocols running on the device for the ARP Vlink direct routes to be advertised.

Precautions

Currently, the ARP module can only send ARP Vlink direct routes of sub-interfaces to the RM module.

Example

# Enable the ARP module to send ARP Vlink direct routes to the RM module.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1.1
[HUAWEI-GigabitEthernet0/0/1.1] arp direct-route enable

arp expire-time

Function

The arp expire-time command sets the aging time of dynamic ARP entries.

The undo arp expire-time command restores the default aging time of dynamic ARP entries.

By default, the aging time of dynamic ARP entries is 1200 seconds, that is, 20 minutes.

Format

arp expire-time expire-time

undo arp expire-time

Parameters

Parameter Description Value
expire-time Specifies the aging time of dynamic ARP entries. The value is an integer that ranges from 30 to 62640, in seconds. The default value is 1200 seconds, that is, 20 minutes.

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, VLANIF interface view, VBDIF interface view, VE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To ensure communication reliability, you need to update ARP entries when they are invalid. A dynamic ARP entry has a life cycle. If a dynamic ARP entry is not updated before its life cycle ends, this dynamic ARP entry will be deleted from the ARP table. The life cycle is called aging time. If the entry is updated before its life cycle expires, the aging time of the entry is recalculated.

You can run the arp expire-time command to configure the aging time of dynamic ARP entries, ensuring that dynamic ARP entries are updated in time.

After the aging time of a dynamic ARP entry on an interface expires, the switch sends an aging probe packet (ARP Request packet) from the interface. If the switch receives an ARP Reply packet, it updates this dynamic ARP entry and the aging probe ends. If the switch does not receive an ARP Reply packet after the configured aging probe attempts, it deletes the dynamic ARP entry and the aging probe ends.

Precautions

  • If the aging time set for a dynamic ARP entry is short, the refreshment for the ARP entry will consume huge number of system resources, causing adverse impacts on other services, a network flapping and even traffic forwarding.
  • If the aging time set for a dynamic ARP entry is long, the ARP entry will not be promptly updated when it is invalid. For example, if a device fails to work or a network card is changed but the invalid ARP entry has not updated yet, the device sends packets to the peer device based on the existing ARP entry. As a result, the service will be interrupted.

To ensure system stability, use the default value of 20 minutes for a dynamic ARP entry.

If a new aging time is set on an interface that has already learned ARP entries, the new aging time will not take effect on the ARP entries that have been learned, but will take effect on the ARP entries to be learned.

After proxy ARP is enabled on the device, the aging time of ARP entries on user hosts connected to the device should be shortened so that invalid ARP entries on the hosts can be deleted as soon as possible. This decreases packet forwarding failures on the device.

You can adjust the aging parameters of dynamic ARP entries in both the system view and interface view.
  • If you configure the parameters only in the system view, the configuration takes effect for the dynamic ARP entries learned on all interfaces of the device.
  • If you configure the parameters in both the system and interface views, the configuration in the interface view takes effect only for the dynamic ARP entries learned on the interface specified.
  • You cannot adjust the aging parameters of dynamic ARP entries on sub-interfaces. If you configure the parameters on the master interface, the configuration takes effect for the dynamic ARP entries learned on the sub-interfaces. If you do not configure the parameters on the master interface, the configuration in the system view takes effect for the dynamic ARP entries learned on the sub-interfaces.

Example

# Set the aging time of dynamic ARP entries to 600 seconds on VLANIF 100.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp expire-time 600

arp fixup

Function

The arp fixup command configures fixed ARP and converts the dynamic ARP entries learned by the device into static ARP entries.

Format

arp fixup

Parameters

None

Views

VLANIF interface view, GE interface view, GE sub-interface view, 40GE interface view, 40GE sub-interface view, XGE interface view, XGE sub-interface view, Eth-Trunk interface view, or Eth-Trunk sub-interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent attackers from forging ARP packets and modifying dynamic ARP entries on the device, you can run the arp fixup command on interfaces to configure fixed ARP and convert the dynamic ARP entries learned by the device into static ARP entries.

Fixed ARP is used together with ARP automatic scanning. Run the arp scan command to configure ARP automatic scanning so that the device can obtain the dynamic ARP entries from the devices in the network. Then run the arp fixup command to configure fixed ARP so that the device converts the obtained dynamic ARP entries to static ARP entries to prevent network attacks.

Prerequisites

On an Ethernet interface works in Layer 2 mode. you need run undo portswitch, switch the interface to Layer 3 mode.

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support switching between Layer 2 and Layer 3 modes.

Precautions

  • The number of static ARP entries converted through fixed ARP depends on the number of static ARP entries supported on the device. When the number of dynamic ARP entries exceeds the maximum value supported on the device, excess dynamic ARP entries will not be converted and the system displays an error message.
  • The static ARP entries converted through fixed ARP are the same as the configured ARP entries. You can run the undo arp static command to delete each entry or reset arp static to delete all the entries.

Example

# Configure fixed ARP on VLANIF 100.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp fixup
Warning: This operation may generate configuration of static ARP, and take a long time, press CTRL+C to break. Continue?[Y/N]:y
Related Topics

arp ip-conflict-detect enable

Function

The arp ip-conflict-detect enable command enables the switch to log IP address conflicts during IP address conflict detection.

The undo arp ip-conflict-detect enable command disables the switch from logging IP address conflicts during IP address conflict detection.

By default, IP address conflicts during IP address conflict detection are not logged.

Format

arp ip-conflict-detect enable

undo arp ip-conflict-detect enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the IP addresses of devices on the network conflict, the CPU usage becomes excessively high and routes on the devices flap frequently. This greatly affects user services and even results in service interruption. You can run the arp ip-conflict-detect enable command to enable the switch to log IP address conflicts during IP address conflict detection. In this way, the device IP addresses can be properly managed, reducing the impact of IP address conflicts on user services.

When a device enabled with IP address conflict detection receives a non-gratuitous ARP packet from a user, the device compares the source IP address and source MAC address of the packet with the ARP entries that the device has learned. If the source IP address matches an ARP entry but the MAC address matches no ARP entry, the IP address conflict occurs. The device then generates log information to inform the user.

Example

# Enable the switch to log IP address conflicts during IP address conflict detection.

<HUAWEI> system-view
[HUAWEI] arp ip-conflict-detect enable

arp learning double-tag disable

Function

The arp learning double-tag disable command disables ARP learning for packets with double VLAN tags.

The undo arp learning double-tag disable command enables ARP learning for packets with double VLAN tags.

By default, ARP learning is enabled on a switch for packets with double VLAN tags.

Format

arp learning double-tag disable

undo arp learning double-tag disable

Parameters

None

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

In Figure 6-2, users belong to different VLANs and are connected to the gateway router through the switch. The switch is connected to the sub-interface for VLAN termination on the router through VLANIF 100. GE0/0/1 on the switch is configured as a hybrid interface, added to VLAN 10 in untagged mode, and added to VLAN 20 and VLAN 30 in tagged mode. Static ARP binding is configured for user 2 and user 3 on the router, and the inner and outer VLANs are specified.
Figure 6-2  Networking of disabling ARP learning for packets with double VLAN tags

When the router pings the IP address 192.168.1.10 of VLANIF 100 on the switch, the switch learns an ARP entry containing the IP address 192.168.1.20 and VLAN ID 100 of the router's sub-interface.

When the router sends ARP probe packets to a user (for example, user 2) who is not directly connected to the switch, the source IP address in the probe packets is the IP address 192.168.1.20 of the router's sub-interface, and the probe packets contain double VLAN tags. The outer VLAN ID is 100 and the inner VLAN ID is 20. When the probe packets pass through the switch, the switch updates the original ARP entry, and records the outer VLAN ID 100 and inner VLAN ID 20.

By default, the fast ICMP reply function is enabled on the switch. When receiving ICMP request packets, the receiving interface on the switch does not send the packets to the CPU for processing, and directly replies with ICMP reply packets. When the router pings the IP address 192.168.1.10 of VLANIF 100 on the switch, ICMP reply packets match the ARP entry containing the IP address 192.168.1.20, and the ARP entry corresponds to the outer VLAN ID 100 and inner VLAN ID 20. Therefore, ICMP reply packets sent by the switch contain double VLAN tags. When checking the VLAN in received packets, the router detects that the packets contain double VLAN tags instead of one VLAN tag, and discards the packets. Therefore, the router fails to ping the IP address 192.168.1.10 of VLANIF 100 on the switch.

You can run the arp learning double-tag disable command on the switch to disable ARP learning for packets with double VLAN tags. After this function is disabled, the switch does not learn ARP entries from ARP probe packets with double VLAN tags sent from the router to a user, and does not update the learned ARP entry containing the IP address 192.168.1.20 and VLAN ID 100. The router can always ping the IP address 192.168.1.10 of VLANIF 100 on the switch.

Example

# Disable ARP learning for packets with double VLAN tags on VLANIF 100.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp learning double-tag disable

arp learning multicast disable

Function

The arp learning multicast disable command disables an interface from learning ARP entries with multicast MAC addresses.

The undo arp learning multicast disable command enables an interface to learn ARP entries with multicast MAC addresses.

By default, if a device is globally enabled to learn ARP entries with multicast MAC addresses, this function is enabled on all the interfaces. If a device is globally disabled from learning ARP entries with multicast MAC addresses, this function is disabled on all the interfaces.

Format

arp learning multicast disable

undo arp learning multicast disable

Parameters

None

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, VLANIF interface view, VBDIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IP address may map a multicast MAC address. In this case, a network administrator has to configure a static ARP entry. After a device is enabled to learn ARP entries with multicast MAC addresses, the device can generate dynamic ARP entries. This reduces a network administrator's workload and decreases network operation and maintenance costs.

After a device is globally enabled to learn ARP entries with multicast MAC addresses, all the interfaces will learn ARP entries when receiving ARP packets with the multicast MAC addresses as source MAC addresses. This increases system resource consumption and affects user service running. You can run the arp learning multicast disable command on an interface to disable the interface from learning ARP entries with multicast MAC addresses.

Precautions

After an interface is disabled from learning ARP entries with multicast MAC addresses, the interface directly discards ARP packets with the multicast MAC addresses as source MAC addresses, which may result in service interruption.

In the multicast service scenario, if the mapping between IP addresses and multicast MAC addresses is not specified using the arp static command, do not disable the specified interface from learning ARP entries with multicast MAC addresses to ensure normal running of the multicast service.

After an interface is disabled from learning ARP entries with multicast MAC addresses using the arp learning multicast disable command, you can run the undo arp learning multicast disable or arp learning multicast enable command on the interface to enable it to learn multicast MAC addresses. The differences between the two commands are as follows:
  • After you run the arp learning multicast enable command, the configuration on the interface takes effect.
  • After you run the undo arp learning multicast disable command, the global configuration takes effect.

Example

# Disable an interface from learning ARP entries with multicast MAC addresses.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp learning multicast disable

arp learning multicast enable (interface view)

Function

The arp learning multicast enable command enables an interface to learn ARP entries with multicast MAC addresses.

The undo arp learning multicast enable command disables an interface from learning ARP entries with multicast MAC addresses.

By default, if a device is globally enabled to learn ARP entries with multicast MAC addresses, this function is enabled on all the interfaces. If a device is globally disabled from learning ARP entries with multicast MAC addresses, this function is disabled on all the interfaces.

Format

arp learning multicast enable

undo arp learning multicast enable

Parameters

None

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, VLANIF interface view, VBDIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IP address may map a multicast MAC address. In this case, a network administrator has to configure a static ARP entry. After a device is enabled to learn ARP entries with multicast MAC addresses, the device can generate dynamic ARP entries. This reduces a network administrator's workload and decreases network operation and maintenance costs.

Precautions

After a device is enabled to learn ARP entries with multicast MAC addresses, the device may be attacked by ARP attack packets with multicast MAC addresses.

To prevent the device from being attacked, multicast MAC address learning adopts the most precise matching rule:
  • When the function is enabled globally and on an interface, the configuration on the interface takes effect.
  • When the function is disabled on an interface, the global configuration takes effect.
  • When the function is disabled globally, the configuration on the interface takes effect.
If you run the undo arp learning multicast enable command on an interface when the function is enabled globally and on the interface, the global configuration takes effect and the function is still enabled. To completely disable the interface from learning ARP entries with multicast MAC addresses, run the arp learning multicast disable command on the interface.

Example

# Enable GigabitEthernet0/0/1 to learn ARP entries with multicast MAC addresses.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp learning multicast enable

arp learning multicast enable (system view)

Function

The arp learning multicast enable command globally enables a device to learn ARP entries with multicast MAC addresses.

The undo arp learning multicast enable command globally disables a device from learning ARP entries with multicast MAC addresses.

By default, a device is globally disabled from learning ARP entries with multicast MAC addresses.

Format

arp learning multicast enable

undo arp learning multicast enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IP address may map a multicast MAC address. In this case, a network administrator has to configure a static ARP entry. After a device is enabled to learn ARP entries with multicast MAC addresses, the device can generate dynamic ARP entries. This reduces a network administrator's workload and decreases network operation and maintenance costs.

Precautions

After a device is enabled to learn ARP entries with multicast MAC addresses, the device may be attacked by ARP attack packets with multicast MAC addresses.

The arp learning multicast enable and arp learning multicast disable commands can be used together on an interface to precisely control the range of ARP entries with multicast MAC addresses to be learned.

Example

# Globally enable a device to learn ARP entries with multicast MAC addresses.

<HUAWEI> system-view
[HUAWEI] arp learning multicast enable

arp purge slowly

Function

The arp purge slowly command enables a device to delete dynamic ARP entries after a delay when a VLANIF member interface goes Down.

The undo arp purge slowly command restores the default setting.

By default, a device deletes dynamic ARP entries immediately when a VLANIF member interface goes Down.

Format

arp purge slowly

undo arp purge slowly

Parameters

None

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, when a VLANIF member interface goes Down, a device immediately deletes the dynamic ARP entries learned by the member interface. At this time, the VLANIF interface needs to relearn ARP entries to forward user traffic. However, in some special networking scenarios, such as the ring or dual-homed networking, a VLANIF member interface going Down does not necessarily mean that its interconnected interface is deleted. The outbound interfaces of ARP entries may change. In this situation, it will take a long time for the device to relearn ARP entries, interrupting user service traffic.

To minimize the preceding impact and accelerate user traffic convergence, run the arp purge slowly command to enable the device to delete dynamic ARP entries after a delay when a VLANIF member interface goes Down.

After the arp purge slowly command is configured, the device does not immediately delete dynamic ARP entries learned by a VLANIF member interface after it goes Down. Instead, it sends ARP probe packets and then deletes or updates ARP entries depending on whether it receives ARP Reply packets within the ARP aging time:
  • If the device does not receive APR Reply packets, it deletes the dynamic ARP entries.
  • If the device receives ARP Reply packets, it updates ARP entries based on information contained in the ARP Reply packets.

Precautions

To update ARP entries, a better alternative to ARP aging mechanism is enabling the MAC address-triggered ARP entry update function, because the device learns MAC address entries faster. Therefore, to accelerate user traffic convergence, you are advised to enable ARP entry delayed deletion and the MAC address-triggered ARP entry update function using the mac-address update arp command.

The arp purge slowly and arp detect-mode unicast commands are mutually exclusive on the same VLANIF interface. If they are both run on the same VLANIF interface, the arp purge slowly command fails to take effect.

Example

# Enable a device to delete dynamic ARP entries after a delay when a member interface of VLANIF 100 goes Down.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp purge slowly

arp scan

Function

The arp scan command configures ARP automatic scanning. This function enables the device to learn ARP entries by sending ARP Request packets to the network segment of the interface IP address.

Format

arp scan [ start-ip-address to end-ip-address ]

Parameters

Parameter Description Value
start-ip-address

Specifies the start IP address for ARP automatic scanning.

The start IP address must be smaller than or equal to the end IP address.

The value is in dotted decimal notation.
end-ip-address

Specifies the end IP address for ARP automatic scanning.

The end IP address must be larger than or equal to the end IP address.

The value is in dotted decimal notation.

Views

VLANIF interface view, GE interface view, GE sub-interface view, 40GE interface view, 40GE sub-interface view, XGE interface view, XGE sub-interface view, Eth-Trunk interface view, or Eth-Trunk sub-interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can run the arp scan command to configure ARP automatic scanning so that the device can quickly learn ARP entries of the neighbors in the same network segment.

ARP automatic scanning is used together with fixed ARP. Run the arp scan command to enable the device to obtain dynamic ARP entries from all devices in the network. Then run the arp fixup command to configure the device to convert the obtained dynamic ARP entries to static ARP entries to prevent network attacks.

Prerequisites

On an Ethernet interface works in Layer 2 mode. you need run undo portswitch, switch the interface to Layer 3 mode.

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support switching between Layer 2 and Layer 3 modes.

Precautions

  • The start and end IP addresses for ARP automatic scanning must be in the same network segment with the IP address of the interface, and the start IP address must be smaller than or equal to the end IP address.
  • If the IP address range is not specified, the device scans only the neighbors within the same network segment as the primary IP address of the interface.
  • The device does not scan the IP addresses in ARP entries.
  • ARP automatic scanning consumes a large number of system resources. You are advised to perform scanning when the resource usage is low and avoid other operations during scanning.
  • A VLAN must be configured on a sub-interface, and only one VLAN can be configured.
  • Automatic ARP scanning takes a long time if there is a large number of neighbors within the same network segment as the primary IP address of the interface. You can press Ctrl+C to stop scanning. The device generates dynamic APR entries based on the ARP Reply packets received from neighbors before you stop the scanning. You can run the display arp dynamic command in any view to check all the dynamic ARP entries that the device has learned.

Example

# Enable ARP automatic scanning.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp scan
Warning: This operation may take a long time, press CTRL+C to break. Continue?[Y/N]:y
Related Topics

arp send-packet

Function

The arp send-packet command configures the ARP unicast probe function.

Format

arp send-packet ip-address mac-address interface interface-type interface-number[.subinterface-number ] [ vid vid [ cevid cevid ] ]

NOTE:

Only S5720EI, S5720HI, S6720EI, and S6720S-EI support the cevid and subinterface-number parameter.

Parameters

Parameter Description Value
ip-address Specifies the destination IP address of a unicast ARP Request packet. The value is in dotted decimal notation.
mac-address Specifies the destination MAC address of a unicast ARP Request packet. The value is in the H-H-H format. An H contains 1 to 4 hexadecimal digits. The value cannot be set to FFFF-FFFF-FFFF.
interface interface-type interface-number[.subinterface-number ] Specifies the outbound interface for a unicast ARP Request packet.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
  • subinterface-number specifies the sub-interface number.
-
vid vid Specifies the outer VLAN tag of a unicast ARP Request packet. The value is an integer that ranges from 1 to 4094.
cevid cevid Specifies the inner VLAN tag of a unicast ARP Request packet. The value is an integer that ranges from 1 to 4094.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The arp send-packet command triggers the device to send a unicast ARP Request packet to the user with the specified IP address and MAC address. You can determine whether the peer exists by checking whether the device receives an ARP Reply packet from the peer.
  • If the device receives an ARP Reply packet from the peer, the peer exists. The device then generates or updates the ARP entry based on the ARP Reply packet.
  • If the device does not receive an ARP Reply packet from the peer, the peer does not exist. The device does not generate an ARP entry in this case.

Example

# Configure the device to send a unicast ARP Request packet with the destination IP address 10.10.10.1 and destination MAC address 5489-98f4-786e from VLANIF 100.

<HUAWEI> arp send-packet 10.10.10.1 5489-98f4-786e interface vlanif 100

arp static

Function

The arp static command configures a static ARP entry.

The undo arp static command deletes a static ARP entry.

By default, the ARP table is empty and address mappings are obtained using dynamic ARP.

Format

arp static ip-address mac-address [ vpn-instance vpn-instance-name ]

arp static ip-address mac-address interface interface-type interface-number[.subinterface-number ]

arp static ip-address mac-address vid vlan-id [ cevid ce-vid ] interface interface-type interface-number[.subinterface-number ]

undo arp static ip-address [ mac-address ] [ vpn-instance vpn-instance-name ]

undo arp static ip-address mac-address interface interface-type interface-number[.subinterface-number ]

undo arp static ip-address [ mac-address ] vid vlan-id [ cevid ce-vid ] interface interface-type interface-number[.subinterface-number ]

NOTE:

Only the S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support vpn-instance vpn-instance-name.

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support cevid ce-vid and subinterface-number.

Parameters

Parameter Description Value
ip-address Specifies the IP address in a static ARP entry. The value is in dotted decimal notation.
mac-address Specifies the MAC address in a static ARP entry. The value is in the H-H-H format. An H contains 1 to 4 hexadecimal digits.
vpn-instance vpn-instance-name Specifies the name of a VPN instance.
NOTE:

After the name of a VPN instance is specifed, the device can automatically learn the outbound interface, with no need for specifying it.

The value must be an existing VPN instance name.

interface interface-type interface-number[.subinterface-number ] Specifies the outbound interface in a static ARP entry.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
  • subinterface-number specifies the sub-interface number.
NOTE:

If the IP address corresponding to the specified ARP entry belongs to the VPN, an outbound interface cannot be specified.

-
vid vlan-id Specifies the ID of the VLAN to which a static ARP entry belongs. The value is an integer that ranges from 1 to 4094.
cevid ce-vid Specifies the inner VLAN ID. The value is an integer that ranges from 1 to 4094.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Dynamic ARP can leave networks vulnerable to ARP spoofs or attacks (when malicious devices send falsified ARP messages to link an attacker's MAC address with the IP address of a legitimate device). As a result, ARP entries may be incorrectly learned. However, if a static ARP entry is configured on a device, the device can communicate with the peer device using only the specified MAC address. Network attackers cannot modify the mapping between the IP and MAC addresses using ARP packets, ensuring communication between the two devices.

Static ARP entries are applicable when:
  • Networks contain critical devices such as servers. Network attackers cannot update the ARP entries containing IP addresses of the critical devices on the switch using ARP attack packets, ensuring communication between users and the critical devices.
  • Networks contain user devices with multicast MAC addresses. By default, a device does not learn ARP entries when the source MAC addresses of received ARP packets are multicast MAC addresses.
  • A network administrator wants to prevent an IP address from accessing devices. The network administrator binds the IP address to an unavailable MAC address.

An ARP entry includes the IP address, the MAC address, and the outbound interface as well as the outer and inner VLAN tags. The switch can add two VLAN tags to the packets according to the ARP entry during packet forwarding.

Precautions

When you configure a static ARP entry, note that:
  • When the outbound interface is a Layer 2 Ethernet interface, run the arp static ip-address mac-address vid vlan-id [ cevid ce-vid ] interface interface-type interface-number [.subinterface-number ] command.

    When a static ARP entry is configured for a QinQ termination sub-interface, vid specified in the this command must be the same as pe-vid in the qinq termination pe-vid ce-vid command, and cevid in this command must be within the value range of ce-vid in the qinq termination pe-vid ce-vid command.

  • When the outbound interface is a Layer 3 Ethernet interface, run the arp static ip-address mac-address interface interface-type interface-number command.
  • When the VPN instance mapping the ARP entries needs to be specified, run the arp static ip-address mac-address vpn-instance vpn-instance-name command.
  • When short static ARP entries need to be configured (for example, if the device is connected to an NLB cluster and multi-interface ARP is used), run the arp static ip-address mac-address command.

The IP address specified by ip-address must be in the same network segment as the IP address of the outbound interface specified by interface interface-type interface-number.

If a new static APR entry is duplicate with an existing one, the system updates the entry.

You can run the arp static command multiple times to configure static ARP entries one by one, or run the arp scan and arp fixup commands to configure multiple static ARP entries at one time.

Example

# Configure a static ARP entry that maps the IP address 10.0.0.1 to the MAC address aaaa-fccc-1212.

<HUAWEI> system-view
[HUAWEI] arp static 10.0.0.1 aaaa-fccc-1212

# Configure a static ARP entry that maps the IP address 10.1.1.1 to the MAC address 0efc-0505-86e3. This entry belongs to VLAN 10 and its outbound interface is GE0/0/1.

<HUAWEI> system-view
[HUAWEI] arp static 10.1.1.1 0efc-0505-86e3 vid 10 interface gigabitethernet 0/0/1

# Configure a static ARP entry that maps the IP address 10.1.1.1 to the MAC address 0efc-0505-86e3. This entry belongs to the VPN instance vpn1.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] ipv4-family
[HUAWEI-vpn-instance-vpn1-af-ipv4] quit
[HUAWEI-vpn-instance-vpn1] quit
[HUAWEI] arp static 10.1.1.1 0efc-0505-86e3 vpn-instance vpn1 

arp topology-change disable

Function

The arp topology-change disable command disables the device from responding to TC BPDUs. That is, the device does not age or delete ARP entries when receiving TC BPDUs.

The undo arp topology-change disable command enables the device to respond to TC BPDUs.

By default, the device is enabled to respond to TC BPDUs. The device ages or deletes ARP entries when receiving TC BPDUs.

Format

arp topology-change disable

undo arp topology-change disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When STP detects network topology changes, the device sends TC BPDUs to instruct the ARP module to age or delete ARP entries. The device then needs to relearn ARP entries.

If the network topology changes frequently or there are many ARP entries on the network, ARP entry relearning will cause excess ARP packets to be generated. As a result, a large number of system resources are occupied and services are affected. To address this issue, run the arp topology-change disable command to disable the device from responding to TC BPDUs. The device does not age or delete ARP entries even if the network topology changes.

Precautions

After the device is disabled from responding to TC BPDUs using the arp topology-change disable command, it does not age or delete ARP entries when the network topology changes. If the MAC address-triggered ARP entry update function is not enabled, user services may be interrupted because the device does not update the saved ARP entries in real time. In this case, you are advised to run the mac-address update arp command to enable the MAC address-triggered ARP entry update function.

Example

# Disable the device from aging or deleting ARP entries when the network topology changes.

<HUAWEI> system-view
[HUAWEI] arp topology-change disable

arp-miss message-cache disable

Function

The arp-miss message-cache disable command disables the device from packetizing ARP Miss messages.

The undo arp-miss message-cache disable command enables the device to packetize ARP Miss messages.

By default, the device is enabled to packetize ARP Miss messages.

NOTE:

Only the S5720HI supports this command.

Format

arp-miss message-cache disable

undo arp-miss message-cache disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If a host sends an IP packet with an irresolvable destination IP address to the device (there is a routing entry matching the destination IP address but there is no ARP entry matching the next hop of the routing entry), ARP Miss messages are generated on the device. By default, the device packetizes ARP Miss messages and sends them to the CPU, improving the efficiency in processing ARP Miss messages.

When the device is enabled to packetize ARP Miss messages, the device cannot send ICMP Host Unreachable packets or ICMP Redirect packets. To enable these cards to send ICMP Host Unreachable packets and ICMP Redirect packets, run the arp-miss message-cache disable command to disable the device from packetizing ARP Miss messages.

Example

# Disable the device from packetizing ARP Miss messages.

<HUAWEI> system-view
[HUAWEI] arp-miss message-cache disable

arp-proxy enable

Function

The arp-proxy enable command enables routed proxy ARP on an interface.

The undo arp-proxy enable command disables routed proxy ARP on an interface.

By default, routed proxy ARP is disabled on an interface.

Format

arp-proxy enable

undo arp-proxy enable

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

If the hosts not configured with the default gateways are located on the same network segment but different physical networks (different broadcast domains), you can run the arp-proxy enable command on the device connected to the hosts to enable routed proxy ARP, implementing IP address resolution between the hosts.

Example

# Enable routed proxy ARP on VLANIF 100.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp-proxy enable
# Enable routed proxy ARP on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-Gigabitethernet0/0/1] undo portswitch
[HUAWEI-Gigabitethernet0/0/1] arp-proxy enable

arp-proxy inner-sub-vlan-proxy enable

Function

The arp-proxy inner-sub-vlan-proxy enable command enables intra-VLAN proxy ARP.

The undo arp-proxy inner-sub-vlan-proxy enable command disables intra-VLAN proxy ARP.

By default, intra-VLAN proxy ARP is disabled.

Format

arp-proxy inner-sub-vlan-proxy enable

undo arp-proxy inner-sub-vlan-proxy enable

Parameters

None

Views

VLANIF interface view, GE sub-interface view, XGE sub-interface view, 40GE sub-interface view, VE sub-interface view, Eth-Trunk sub-interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When hosts are located on the same network segment and belong to the same VLAN configured with port isolation, you can run the arp-proxy inner-sub-vlan-proxy enable command on the device connected to the hosts to enable intra-VLAN proxy ARP, implementing IP address resolution between the hosts.

Precautions

QinQ interfaces do not support intra-VLAN proxy ARP.

Example

# Enable intra-VLAN proxy ARP on VLANIF 100.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp-proxy inner-sub-vlan-proxy enable

arp-proxy inter-sub-vlan-proxy enable

Function

The arp-proxy inter-sub-vlan-proxy enable command enables inter-VLAN proxy ARP or enables proxy ARP on a sub-interface.

The undo arp-proxy inter-sub-vlan-proxy enable command disables inter-VLAN proxy ARP or disables proxy ARP on a sub-interface.

By default, inter-VLAN proxy ARP is disabled.

NOTE:

Only the S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support the inter-VLAN proxy ARP.

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support sub-interface.

Format

arp-proxy inter-sub-vlan-proxy enable

undo arp-proxy inter-sub-vlan-proxy enable

Parameters

None

Views

VLANIF interface view, GE sub-interface view, XGE sub-interface view, 40GE sub-interface view, Eth-Trunk sub-interface view, VE sub-interface view

Default Level

2: Configuration level

Usage Guidelines

When hosts are located on the same network segment but belong to different VLANs, you can run the arp-proxy inter-sub-vlan-proxy enable command on interfaces to enable inter-VLAN proxy ARP, implementing IP address resolution between the hosts.

When hosts are located on the same network segment but belong to different sub-VLANs, you can enable inter-VLAN proxy ARP on the VLANIF interface in a super VLAN.

If inter-VLAN proxy ARP is enabled on a sub-interface, the users on the sub-interface who belong to the same network segment but different VLANs can communicate with each other.

Example

# Enable inter-VLAN proxy ARP on VLANIF 100.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp-proxy inter-sub-vlan-proxy enable

arp-suppress enable

Function

The arp-suppress enable command enables ARP suppression.

The undo arp-suppress command disables ARP suppression.

By default, ARP suppression is disabled and applicable only to VLANIF interfaces.

Format

arp-suppress enable

undo arp-suppress

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

On a special network or in the case of ARP attacks, the system receives multiple ARP packets with the same source IP address at a time. The system needs to update ARP entries repeatedly. To ensure system performance, you can enable ARP suppression. This function enables the system to only respond to ARP Request packets but not update ARP entries when the system receives multiple ARP packets with the same IP address in one second.

If ARP suppression is enabled for all interfaces, ARP entries on some interfaces cannot be updated temporarily. ARP suppression is applicable only to VLANIF and Eth-Trunk interfaces. By default, ARP suppression always takes effect on VLANIF interfaces. It can be configured on other logical interfaces.

After you run the undo arp-suppress command, ARP suppression is enabled only on VLANIF interfaces.

Example

# Enable ARP suppression.

<HUAWEI> system-view
[HUAWEI] arp-suppress enable

dhcp snooping arp security enable

Function

The dhcp snooping arp security enable command enables the egress ARP inspection (EAI) function.

The undo dhcp snooping arp security enable command disables the EAI function.

By default, EAI is disabled.

Format

dhcp snooping arp security enable

undo dhcp snooping arp security enable

Parameters

None

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

EAI applies to the following scenario: A device is deployed between an upstream Layer 3 switch and user hosts. The user hosts belong to the same VLAN, connect to the network through user-side interfaces of the device, and obtain IP addresses through DHCP.

If the device broadcasts ARP Request packets in the VLAN, the traffic volume in the VLAN increases. To reduce network loads in the VLAN, enable EAI in this VLAN on the device. The EAI function must be used together with DHCP snooping.

After EAI is enabled, the device matches the destination IP address of a received ARP Request packet with DHCP snooping binding entries to determine the outbound interface for the packet.
  • If the destination IP address matches an entry, the device directly sends the packet to the mapping outbound interface. (However, if the outbound interface is the same as the inbound interface of the packet, the device discards the packet.)

  • If the destination IP address does not match an entry, the device determines whether the packet is sent from a trusted interface. (In DHCP snooping, the interfaces connecting the device to the DHCP server are deployed as trusted interfaces.)

    • If the packet is sent from a trusted interface, the device forwards the packet from other trusted interfaces. (If there is no other trusted interface, the device discards the packet.)
    • If the packet is not sent from a trusted interface, the device forwards the packet from a trusted interface.
NOTE:

DHCP snooping allows a physical interface to be configured as a trusted or untrusted interface. The interfaces connected to the authorized DHCP server are configured as trusted interfaces, and other interfaces as untrusted interfaces. After DHCP snooping is enabled, all interfaces are considered as untrusted interfaces by default.

Precautions

Because the EAI function must be used together with the DHCP snooping function, run the dhcp snooping enable command to enable the DHCP snooping function.

After EAI is enabled, the device sends all the received ARP packets to the CPU for software forwarding, which degrades the ARP packet forwarding performance.

The MFF function is implemented based on ARP proxy, whereas the EAI function is implemented based on ARP request packet forwarding. Therefore, the two functions conflict with each other. If you have enabled both MFF and EAI in the same VLAN, the MFF function takes effect.

EAI enabled in a super VLAN does not take effect.

Example

# Enable EAI.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable
[HUAWEI-vlan100] dhcp snooping arp security enable
Related Topics

dhcp snooping arp security isolate-forwarding-trust

Function

The dhcp snooping arp security isolate-forwarding-trust command enables the device to forward ARP packets to trusted interfaces when port isolation is enabled on both inbound and outbound interfaces of the device.

The undo dhcp snooping arp security isolate-forwarding-trust command disables the device from forwarding packets to trusted interfaces.

By default, the device is disabled from forwarding packets to trusted interfaces when port isolation is enabled on both inbound and outbound interfaces of the device.

Format

dhcp snooping arp security isolate-forwarding-trust

undo dhcp snooping arp security isolate-forwarding-trust

Parameters

None

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

This function applies to the following scenario: A device is deployed between an upstream Layer 3 switch and user hosts. The user hosts belong to the same VLAN, connect to the network through user-side interfaces of the device, and obtain IP addresses through DHCP. Port isolation is configured on the interfaces of the user hosts and intra-VLAN ARP proxy is configured on the Layer 3 switch. This implements Layer 2 isolation and Layer 3 communication between isolated users in the VLAN.

If EAI is also configured on the device, when receiving an ARP Request packet from a user host requesting for another user host, the device matches the destination IP address of the packet with dynamic DHCP snooping binding entries to determine the outbound interface of the packet. If the destination IP address matches an entry, the device directly sends the packet to the destination interface (that is, the interface on the requested user host). If the destination interface is isolated from the inbound interface of the packet, the device discards the packet and the isolated users cannot communicate with each other.

To address this problem, run the dhcp snooping arp security isolate-forwarding-trust command. The device then directly forwards the ARP packet to a trusted interface (that is, the interface on the Layer 3 switch). In this case, the intra-VLAN ARP proxy function on the Layer 3 switch allows the isolated users to communicate with each other.

Prerequisites

EAI has been enabled using the dhcp snooping arp security enable command.

Example

# Enable the device to forward ARP packets to trusted interfaces in VLAN 100 when port isolation is enabled on both inbound and outbound interfaces of the device.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable
[HUAWEI-vlan100] dhcp snooping arp security enable
[HUAWEI-vlan100] dhcp snooping arp security isolate-forwarding-trust

display arp

Function

The display arp command displays all ARP entries.

Format

display arp [ all ]

Parameters

Parameter

Description

Value

all

Displays all ARP entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check ARP entries mapping a specified IP address. For example, to check ARP entries mapping the IP address 10.1.1.1, run the display arp all | include 10.1.1.1 command.

Example

# Display all ARP entries.
<HUAWEI> display arp all
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE
                                          VLAN/CEVLAN(SIP/DIP)
------------------------------------------------------------------------------
192.168.50.166  0018-8201-0987            I -         MEth0/0/1
192.168.50.1    5489-98f4-5aeb  20        D-0         MEth0/0/1
192.168.50.165  0000-1382-ca69  19        D-0         MEth0/0/1
192.168.50.171  5489-98d0-2114  19        D-0         MEth0/0/1
------------------------------------------------------------------------------
Total:4         Dynamic:3       Static:0     Interface:1
Table 6-4  Description of the display arp all command output

Item

Description

IP ADDRESS

IP address in the ARP entry.

MAC ADDRESS

MAC address in the ARP entry.

NOTE:
If the value of MAC ADDRESS is Incomplete, the current ARP entry is a temporary one. When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network segment.
  • When a temporary ARP entry is not aged out, before receiving an ARP Reply packet, the device discards the IP packets matching the temporary ARP entry, and no ARP Miss message is triggered.
  • When a temporary ARP entry is not aged out, after receiving the ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
  • After the temporary ARP entry is aged out, the device deletes this entry.

You can run the arp-fake expire-time command to adjust the aging time of the temporary ARP entry.

EXPIRE(M)

Remaining lifetime of the ARP entry, in minutes.

If the remaining lifetime is 0, ARP entry aging probe is to be started. The ARP entry aging time depends on the number of configured aging probe attempts and the number of ARP entries that need to be aged.

TYPE

Entry type and ID of the slot that obtains the entry. The entry type contains 3 bits. The first bit can be any of the following:
  • I: Interface, indicating the MAC address of the interface

  • D: Dynamic, indicating a dynamic ARP entry

  • S: Static, indicating a static ARP entry

The second bit can only be F, indicating that the ARP entry has been reported to the routing module, the route to this IP address has been calculated, and the entry in the FIB table has been updated. If the entry is not reported to the routing module, this field displays -. For the ARP entry with the type as I, this flag bit does not exist.

NOTE:

VLANIF interface and sub-interfaces for VLAN tag termination ( including QinQ termination sub-interfaces and Dolt1q termination sub-interfaces) on devices report learned ARP entries to the routing module to generate 32-bit host routes (routes destined for complete host addresses). The host routes are accurate and can be used for packet forwarding. Because the forwarding model of the two types of interfaces requires accurate forwarding paths. However, the outbound interfaces of VLANIF interface routes are VLANIF interfaces. VLANIF interfaces are virtual interfaces that may correspond to multiple physical interfaces, and as a result, such routes cannot be used for packet forwarding. Therefore, the VLANIF interfaces report learned ARP entries to the routing module to generate host routes. As for sub-interfaces for VLAN tag termination, they may correspond to multiple VLANs, and the forwarding model requires that packets be sent to a specified VLAN. Therefore, the sub-interfaces for VLAN tag termination also report learned ARP entries to the routing module to generate host routes.

The third bit indicates the ID of the slot that obtains the entry. For the ARP entry with the type as I or S, this field displays -.

INTERFACE

Type and number of the interface that has learned ARP entries.

VPN-INSTANCE

Name of the VPN instance to which the ARP entry belongs.

To configure the VPN instance name, run the ip vpn-instance command.

NOTE:

Only the S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this parameter.

VLAN/CEVLAN

ID of the VLAN/CEVLAN to which the ARP entry belongs.

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support the CEVLAN parameter.

In a VXLAN network, SIP and DIP indicate the source and destination IP addresses of a tunnel.

NOTE:

Only the S5720HI, S6720EI, and S6720S-EI support SIP/DIP.

Total

Total number of ARP entries.

Dynamic

Number of dynamic ARP entries.

Static

Number of static ARP entries.

Interface

Number of ARP entries for the interface.

display arp dynamic

Function

The display arp dynamic command displays dynamic ARP entries.

Format

display arp dynamic [ vlan vlan-id ]

Parameters

Parameter Description Value
vlan vlan-id

Displays the dynamic ARP entries learned in a specified VLAN.

If this parameter is not specified, all the dynamic ARP entries learned by the device are displayed.

The value is an integer that ranges from 1 to 4094.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display arp dynamic command to check dynamic ARP entries.

Example

# Display all dynamic ARP entries.
<HUAWEI> display arp dynamic
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE INTERFACE      VPN-INSTANCE      
                                          VLAN/CEVLAN(SIP/DIP)
------------------------------------------------------------------------------
192.168.50.166  0018-8201-0987            I -  MEth0/0/1
192.168.50.1    5489-98f4-5aeb  13        D-0  MEth0/0/1
192.168.50.165  0000-1382-ca69  19        D-0  MEth0/0/1
192.168.50.171  5489-98d0-2114  12        D-0  MEth0/0/1
------------------------------------------------------------------------------
Total:4         Dynamic:3       Static:0     Interface:1
Table 6-5  Description of the display arp dynamic command output

Item

Description

IP ADDRESS

IP address in the ARP entry.

MAC ADDRESS

MAC address in the ARP entry.

NOTE:
If the value of MAC ADDRESS is Incomplete, the current ARP entry is a temporary one. When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network segment.
  • When a temporary ARP entry is not aged out, before receiving an ARP Reply packet, the device discards the IP packets matching the temporary ARP entry, and no ARP Miss message is triggered.
  • When a temporary ARP entry is not aged out, after receiving the ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
  • After the temporary ARP entry is aged out, the device deletes this entry.

You can run the arp-fake expire-time command to adjust the aging time of the temporary ARP entry.

EXPIRE(M)

Remaining lifetime of the ARP entry, in minutes.

If the remaining lifetime is 0, ARP entry aging probe is to be started. The ARP entry aging time depends on the number of configured aging probe attempts and the number of ARP entries that need to be aged.

TYPE

Entry type and ID of the slot that obtains the entry. The entry type contains 3 bits. The first bit can be any of the following:
  • I: Interface, indicating the MAC address of the interface

  • D: Dynamic, indicating a dynamic ARP entry

  • S: Static, indicating a static ARP entry

The second bit can only be F, indicating that the ARP entry has been reported to the routing module, the route to this IP address has been calculated, and the entry in the FIB table has been updated. If the entry is not reported to the routing module, this field displays -. For the ARP entry with the type as I, this flag bit does not exist.

NOTE:

VLANIF interface and sub-interfaces for VLAN tag termination ( including QinQ termination sub-interfaces and Dolt1q termination sub-interfaces) on devices report learned ARP entries to the routing module to generate 32-bit host routes (routes destined for complete host addresses). The host routes are accurate and can be used for packet forwarding. Because the forwarding model of the two types of interfaces requires accurate forwarding paths. However, the outbound interfaces of VLANIF interface routes are VLANIF interfaces. VLANIF interfaces are virtual interfaces that may correspond to multiple physical interfaces, and as a result, such routes cannot be used for packet forwarding. Therefore, the VLANIF interfaces report learned ARP entries to the routing module to generate host routes. As for sub-interfaces for VLAN tag termination, they may correspond to multiple VLANs, and the forwarding model requires that packets be sent to a specified VLAN. Therefore, the sub-interfaces for VLAN tag termination also report learned ARP entries to the routing module to generate host routes.

The third bit indicates the ID of the slot that obtains the entry. For the ARP entry with the type as I or S, this field displays -.

INTERFACE

Type and number of the interface that has learned ARP entries.

VPN-INSTANCE

Name of the VPN instance to which the ARP entry belongs.

To configure the VPN instance name, run the ip vpn-instance command.

NOTE:

Only the S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this parameter.

VLAN/CEVLAN

ID of the VLAN/CEVLAN to which the ARP entry belongs.

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support the CEVLAN parameter.

In a VXLAN network, SIP and DIP indicate the source and destination IP addresses of a tunnel.

NOTE:

Only the S5720HI, S6720EI, and S6720S-EI support SIP/DIP.

Total

Total number of ARP entries.

Dynamic

Number of dynamic ARP entries.

Static

Number of static ARP entries.

Interface

Number of ARP entries for the interface.

display arp error packet

Function

The display arp error packet command displays the last received 10 ARP error packets.

Format

display arp error packet

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When the device cannot learn ARP entries, you can run this command to check the last received ARP error packets. The ARP error packets help locate the fault.

Example

# Display the last received 10 ARP error packets.

<HUAWEI> display arp error packet
--------------------------------------------------                              
 [interface = Vlanif10, time = 2010-05-24 20:34:53]:                            
 00 01 08 00 06 04 00 01 00 25 9E 4B 1F 75 0A 8A                                
 4E 02 00 00 00 00 00 00 0A 8A 4E FF 00 00 00 00                                
 00 00 00 00 00 00 FF FF FF FF FF FF 00 25                                      
--------------------------------------------------                              
 [interface = Vlanif10, time = 2010-05-24 20:34:54]:                            
 00 01 08 00 06 04 00 01 00 13 72 FD E7 1C 0A 8A                                
 4E 98 00 00 00 00 00 00 0A 8A 4E 30 00 00 00 00                                
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                
--------------------------------------------------                              
 [interface = Vlanif10, time = 2010-05-24 20:34:55]:                            
 00 01 08 00 06 04 00 01 00 13 72 9B 21 A7 0A 8A                                
 4E 82 00 00 00 00 00 00 0A 8A 4E 01 00 00 00 00                                
 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                      
--------------------------------------------------                              
 [interface = Vlanif10, time = 2010-05-24 20:35:05]:                            
 00 01 08 00 06 04 00 01 00 13 72 9B 21 A7 0A 8A                                
 4E 82 00 00 00 00 00 00 0A 8A 4E 01 00 00 00 00                                
 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                      
--------------------------------------------------                              
 [interface = Vlanif10, time = 2010-05-24 20:35:05]:                            
 00 01 08 00 06 04 00 01 00 E0 FC 8F B2 DD 0A 8A                                
 4E 01 00 00 00 00 00 00 0A 8A 4F FA 00 00 00 00                                
 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                      
--------------------------------------------------                              
 [interface = Vlanif10, time = 2010-05-24 20:35:08]:                            
 00 01 08 00 06 04 00 01 00 0F E2 5C 8C EA AC 12                                
 3E FE 00 00 00 00 00 00 AC 12 3E FE 00 00 00 00                                
 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                      
--------------------------------------------------                              
 [interface = Vlanif10, time = 2010-05-24 20:35:11]:                            
 00 01 08 00 06 04 00 01 00 1B B9 78 25 2E 0A 8A                                
 4E A5 00 00 00 00 00 00 0A 8A 4E 2D 00 00 00 00                                
 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                      
--------------------------------------------------                              
 [interface = Vlanif10, time = 2010-05-24 20:35:15]:                            
 00 01 08 00 06 04 00 01 00 13 72 9B 21 A7 0A 8A                                
 4E 82 00 00 00 00 00 00 0A 8A 4E 01 00 00 00 00                                
 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                      
--------------------------------------------------                              
 [interface = Vlanif10, time = 2010-05-24 20:35:19]:                            
 00 01 08 00 06 04 00 01 00 13 72 9B 21 A7 0A 8A                                
 4E 82 00 00 00 00 00 00 0A 8A 4E 01 00 00 00 00                                
 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                      
--------------------------------------------------                              
 [interface = Vlanif10, time = 2010-05-24 20:35:22]:                            
 00 01 08 00 06 04 00 01 00 E0 FC 8F B2 DD 0A 8A                                
 4E 01 00 00 00 00 00 00 0A 8A 4F FA 00 00 00 00                                
 00 00 00 00 00 00 00 00 00 00 00 00 00 00        
Table 6-6  Description of the display arp error packet command output

Item

Description

interface

Interface name.

time

Time when an ARP error packet is received.

display arp interface

Function

The display arp interface command displays ARP entries for a specified interface.

Format

display arp interface interface-type interface-number[.subinterface-number ]

Parameters

Parameter Description Value
interface-type interface-number[.subinterface-number ] Specifies the type and number of an interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
  • subinterface-number specifies the sub-interface number.
NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support the subinterface-number parameter.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display arp interface command to view contents of ARP entries when you need to monitor dynamic ARP entries or locate the faults in ARP.

Example

# Display all ARP entries for VLANIF 10.

<HUAWEI> display arp interface Vlanif 10
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE  
                                          VLAN/CEVLAN(SIP/DIP)                  
------------------------------------------------------------------------------  
10.1.0.1        00e0-0987-7890            I -         Vlanif10                  
------------------------------------------------------------------------------  
Total:1         Dynamic:0       Static:0     Interface:1 
Table 6-7  Description of the display arp interface command output

Item

Description

IP ADDRESS

IP address in the ARP entry.

MAC ADDRESS

MAC address in the ARP entry.

NOTE:
If the value of MAC ADDRESS is Incomplete, the current ARP entry is a temporary one. When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network segment.
  • When a temporary ARP entry is not aged out, before receiving an ARP Reply packet, the device discards the IP packets matching the temporary ARP entry, and no ARP Miss message is triggered.
  • When a temporary ARP entry is not aged out, after receiving the ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
  • After the temporary ARP entry is aged out, the device deletes this entry.

You can run the arp-fake expire-time command to adjust the aging time of the temporary ARP entry.

EXPIRE(M)

Remaining lifetime of the ARP entry, in minutes.

If the remaining lifetime is 0, ARP entry aging probe is to be started. The ARP entry aging time depends on the number of configured aging probe attempts and the number of ARP entries that need to be aged.

TYPE

Entry type and ID of the slot that obtains the entry. The entry type contains 3 bits. The first bit can be any of the following:
  • I: Interface, indicating the MAC address of the interface

  • D: Dynamic, indicating a dynamic ARP entry

  • S: Static, indicating a static ARP entry

The second bit can only be F, indicating that the ARP entry has been reported to the routing module, the route to this IP address has been calculated, and the entry in the FIB table has been updated. If the entry is not reported to the routing module, this field displays -. For the ARP entry with the type as I, this flag bit does not exist.

NOTE:

VLANIF interface and sub-interfaces for VLAN tag termination ( including QinQ termination sub-interfaces and Dolt1q termination sub-interfaces) on devices report learned ARP entries to the routing module to generate 32-bit host routes (routes destined for complete host addresses). The host routes are accurate and can be used for packet forwarding. Because the forwarding model of the two types of interfaces requires accurate forwarding paths. However, the outbound interfaces of VLANIF interface routes are VLANIF interfaces. VLANIF interfaces are virtual interfaces that may correspond to multiple physical interfaces, and as a result, such routes cannot be used for packet forwarding. Therefore, the VLANIF interfaces report learned ARP entries to the routing module to generate host routes. As for sub-interfaces for VLAN tag termination, they may correspond to multiple VLANs, and the forwarding model requires that packets be sent to a specified VLAN. Therefore, the sub-interfaces for VLAN tag termination also report learned ARP entries to the routing module to generate host routes.

The third bit indicates the ID of the slot that obtains the entry. For the ARP entry with the type as I or S, this field displays -.

INTERFACE

Type and number of the interface that has learned ARP entries.

VPN-INSTANCE

Name of the VPN instance to which the ARP entry belongs.

To configure the VPN instance name, run the ip vpn-instance command.

NOTE:

Only the S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this parameter.

VLAN/CEVLAN

ID of the VLAN/CEVLAN to which the ARP entry belongs.

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support the CEVLAN parameter.

In a VXLAN network, SIP and DIP indicate the source and destination IP addresses of a tunnel.

NOTE:

Only the S5720HI, S6720EI, and S6720S-EI support SIP/DIP.

Total

Total number of ARP entries.

Dynamic

Number of dynamic ARP entries.

Static

Number of static ARP entries.

Interface

Number of ARP entries for the interface.

display arp ip-conflict track

Function

The display arp ip-conflict track command displays records about IP address conflicts detected.

Format

display arp ip-conflict track

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

IP address conflicts on a network will result in frequent route flapping on the device and greatly affect user services.

To quickly locate the conflicting IP addresses and better manage device IP addresses, you can run the display arp ip-conflict track command to check records about IP address conflicts detected.

Precautions

To make the display arp ip-conflict track command take effect, you must first run the arp ip-conflict-detect enable command in the system view to enable IP address conflict detection.

Example

# Display records about IP address conflicts detected.

<HUAWEI> display arp ip-conflict track
    Conflict type       : Remote IP Confilct    
    IP address          : 10.1.1.1
    System time         : 2013-04-07 11:22:29
    Conflict count      : 1                        
    Suppress count      : 0
    Old interface       : GE0/0/1                 
    Receive interface   : GE0/0/2
    Old VLAN/CEVLAN     : 100/0                      
    Receive VLAN/CEVLAN : 100/0
    Old MAC             : 00e0-ca63-8141           
    Receive MAC         : 00e0-ca63-8142
Table 6-8  Description of the display arp ip-conflict track command output

Item

Description

Conflict type

-

IP address

Conflicting IP address.

System time

System time when an IP address conflict occurs.

Conflict count

Number of IP address conflicts.

NOTE:
If the ARP entry mapping the IP address is aged or deleted, this field is set to zero.

Suppress count

Number of IP address conflict suppressions.

NOTE:
If the ARP entry mapping the IP address is aged or deleted, this field is set to zero.

Old interface

Interface recorded in the ARP entry mapping the IP address before a conflict.

Receive interface

Interface that receives ARP packet during a conflict.

Old VLAN/CEVLAN

VLAN and CE VLAN recorded in the ARP entry mapping the IP address before a conflict.

Receive VLAN/CEVLAN

VLAN and CE VLAN that receive ARP packets during a conflict.

Old MAC

MAC address recorded in the ARP entry mapping the IP address before a conflict.

Receive MAC

Source MAC address in the ARP packet received during a conflict.

display arp network

Function

The display arp network command displays ARP entries of a specified network segment.

Format

display arp network net-number [ net-mask | mask-length ] [ dynamic | static ]

Parameters

Parameter

Description

Value

net-number

Specifies the network ID.

The value is in dotted decimal notation.

net-mask

Specifies the subnet mask.

This value is in dotted decimal notation.

mask-length

Specifies the mask length.

The value is an integer that ranges from 1 to 32.

dynamic

Displays dynamic ARP entries of a specified network segment.

-

static

Displays static ARP entries of a specified network segment.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display arp network command to check ARP entries of a specified network segment.

Example

# Display all ARP entries of the network segment with network ID 10.10.0.0 and subnet mask 255.255.0.0.

<HUAWEI> display arp network 10.10.0.0 255.255.0.0
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE
                                          VLAN/CEVLAN(SIP/DIP)
------------------------------------------------------------------------------
10.10.20.9      0018-2000-0083            I -         Vlanif10
10.10.10.6      0018-2000-0083            I -         Vlanif20
------------------------------------------------------------------------------
Total:2         Dynamic:0       Static:0     Interface:2               
Table 6-9  Description of the display arp network command output

Item

Description

IP ADDRESS

IP address in the ARP entry.

MAC ADDRESS

MAC address in the ARP entry.

NOTE:
If the value of MAC ADDRESS is Incomplete, the current ARP entry is a temporary one. When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network segment.
  • When a temporary ARP entry is not aged out, before receiving an ARP Reply packet, the device discards the IP packets matching the temporary ARP entry, and no ARP Miss message is triggered.
  • When a temporary ARP entry is not aged out, after receiving the ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
  • After the temporary ARP entry is aged out, the device deletes this entry.

You can run the arp-fake expire-time command to adjust the aging time of the temporary ARP entry.

EXPIRE(M)

Remaining lifetime of the ARP entry, in minutes.

If the remaining lifetime is 0, ARP entry aging probe is to be started. The ARP entry aging time depends on the number of configured aging probe attempts and the number of ARP entries that need to be aged.

TYPE

Entry type and ID of the slot that obtains the entry. The entry type contains 3 bits. The first bit can be any of the following:
  • I: Interface, indicating the MAC address of the interface

  • D: Dynamic, indicating a dynamic ARP entry

  • S: Static, indicating a static ARP entry

The second bit can only be F, indicating that the ARP entry has been reported to the routing module, the route to this IP address has been calculated, and the entry in the FIB table has been updated. If the entry is not reported to the routing module, this field displays -. For the ARP entry with the type as I, this flag bit does not exist.

NOTE:

VLANIF interface and sub-interfaces for VLAN tag termination ( including QinQ termination sub-interfaces and Dolt1q termination sub-interfaces) on devices report learned ARP entries to the routing module to generate 32-bit host routes (routes destined for complete host addresses). The host routes are accurate and can be used for packet forwarding. Because the forwarding model of the two types of interfaces requires accurate forwarding paths. However, the outbound interfaces of VLANIF interface routes are VLANIF interfaces. VLANIF interfaces are virtual interfaces that may correspond to multiple physical interfaces, and as a result, such routes cannot be used for packet forwarding. Therefore, the VLANIF interfaces report learned ARP entries to the routing module to generate host routes. As for sub-interfaces for VLAN tag termination, they may correspond to multiple VLANs, and the forwarding model requires that packets be sent to a specified VLAN. Therefore, the sub-interfaces for VLAN tag termination also report learned ARP entries to the routing module to generate host routes.

The third bit indicates the ID of the slot that obtains the entry. For the ARP entry with the type as I or S, this field displays -.

INTERFACE

Type and number of the interface that has learned ARP entries.

VPN-INSTANCE

Name of the VPN instance to which the ARP entry belongs.

To configure the VPN instance name, run the ip vpn-instance command.

NOTE:

Only the S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this parameter.

VLAN/CEVLAN

ID of the VLAN/CEVLAN to which the ARP entry belongs.

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support the CEVLAN parameter.

In a VXLAN network, SIP and DIP indicate the source and destination IP addresses of a tunnel.

NOTE:

Only the S5720HI, S6720EI, and S6720S-EI support SIP/DIP.

Total

Total number of ARP entries.

Dynamic

Number of dynamic ARP entries.

Static

Number of static ARP entries.

Interface

Number of ARP entries for the interface.

display arp packet statistics

Function

The display arp packet statistics command displays the statistics on ARP packets.

Format

display arp packet statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To locate and rectify ARP faults, you can run this command to view the statistics on ARP packets.

This command displays the ARP packet statistics on the active switch in a stack system.

Example

# Display the statistics on ARP packets.

<HUAWEI> display arp packet statistics
ARP Pkt Received: sum 420066 
ARP Received In Message-cache: sum 0 
ARP-Miss Msg Received: sum 0 
ARP Learnt Count: sum 5 
ARP Pkt Discard For Limit: sum 0 
ARP Pkt Discard For SpeedLimit: sum 0 
ARP Pkt Discard For Proxy Suppress: sum 179578 
ARP Pkt Discard For Other: sum 90347 
ARP-Miss Msg Discard For SpeedLimit: sum 0 
ARP Discard In Message-cache For SpeedLimit: sum 0 
ARP-Miss Msg Discard For Other: sum 0
Table 6-10  Description of the display arp packet statistics command output

Item

Description

ARP Pkt Received

Number of the received ARP packets.

ARP Received In Message-cache

Number of ARP packets received within each second when a switch encapsulates multiple ARP request packets into one packet.

ARP-Miss Msg Received

Total number of ARP Miss messages triggered by ARP Miss packets sent to the CPU.

ARP Learnt Count

Times of ARP learning.

ARP Pkt Discard For Limit

Number of ARP packets discarded due to the ARP entry limit.

To configure the maximum number of dynamic ARP entries that an interface can learn, run the arp-limit command.

ARP Pkt Discard For SpeedLimit

Number of ARP packets discarded when the number of ARP packets from a specified source IP address exceeds the limit.

To configure a rate limit for ARP packets based on the source IP address, run the arp speed-limit source-ip command.

ARP Pkt Discard For Proxy Suppress

Number of packets discarded for the speed limit.

ARP Pkt Discard For Other

Number of the packets discarded due to other causes.

ARP-Miss Msg Discard For SpeedLimit

Number of ARP Miss messages discarded when the number of ARP Miss messages triggered by IP packets from a specified source IP address exceeds the limit.

ARP Discard In Message-cache For SpeedLimit

Number of ARP packets discarded due to software rate limit when a switch encapsulates multiple ARP request packets into one packet.

To configure a rate limit for ARP Miss messages based on the source IP address, run the arp-miss speed-limit source-ip command.

ARP-Miss Msg Discard For Other

Number of the ARP Miss messages discarded due to other causes.

display arp static

Function

The display arp static command displays all static ARP entries.

Format

display arp static

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display arp static command to check static ARP entries.

You can run the arp static command multiple times to configure static ARP entries one by one, or run the arp scan and arp fixup commands to configure multiple static ARP entries at one time.

Example

# Display all static ARP entries.
<HUAWEI> display arp static
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE  
                                          VLAN/CEVLAN(SIP/DIP)
------------------------------------------------------------------------------
10.1.2.1        0023-0045-0067            S--
------------------------------------------------------------------------------
Total:1         Dynamic:0       Static:1     Interface:0
Table 6-11  Description of the display arp static command output

Item

Description

IP ADDRESS

IP address in the ARP entry.

MAC ADDRESS

MAC address in the ARP entry.

NOTE:
If the value of MAC ADDRESS is Incomplete, the current ARP entry is a temporary one. When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network segment.
  • When a temporary ARP entry is not aged out, before receiving an ARP Reply packet, the device discards the IP packets matching the temporary ARP entry, and no ARP Miss message is triggered.
  • When a temporary ARP entry is not aged out, after receiving the ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
  • After the temporary ARP entry is aged out, the device deletes this entry.

You can run the arp-fake expire-time command to adjust the aging time of the temporary ARP entry.

EXPIRE(M)

Remaining lifetime of the ARP entry, in minutes.

If the remaining lifetime is 0, ARP entry aging probe is to be started. The ARP entry aging time depends on the number of configured aging probe attempts and the number of ARP entries that need to be aged.

TYPE

Entry type and ID of the slot that obtains the entry. The entry type contains 3 bits. The first bit can be any of the following:
  • I: Interface, indicating the MAC address of the interface

  • D: Dynamic, indicating a dynamic ARP entry

  • S: Static, indicating a static ARP entry

The second bit can only be F, indicating that the ARP entry has been reported to the routing module, the route to this IP address has been calculated, and the entry in the FIB table has been updated. If the entry is not reported to the routing module, this field displays -. For the ARP entry with the type as I, this flag bit does not exist.

NOTE:

VLANIF interface and sub-interfaces for VLAN tag termination ( including QinQ termination sub-interfaces and Dolt1q termination sub-interfaces) on devices report learned ARP entries to the routing module to generate 32-bit host routes (routes destined for complete host addresses). The host routes are accurate and can be used for packet forwarding. Because the forwarding model of the two types of interfaces requires accurate forwarding paths. However, the outbound interfaces of VLANIF interface routes are VLANIF interfaces. VLANIF interfaces are virtual interfaces that may correspond to multiple physical interfaces, and as a result, such routes cannot be used for packet forwarding. Therefore, the VLANIF interfaces report learned ARP entries to the routing module to generate host routes. As for sub-interfaces for VLAN tag termination, they may correspond to multiple VLANs, and the forwarding model requires that packets be sent to a specified VLAN. Therefore, the sub-interfaces for VLAN tag termination also report learned ARP entries to the routing module to generate host routes.

The third bit indicates the ID of the slot that obtains the entry. For the ARP entry with the type as I or S, this field displays -.

INTERFACE

Type and number of the interface that has learned ARP entries.

VPN-INSTANCE

Name of the VPN instance to which the ARP entry belongs.

To configure the VPN instance name, run the ip vpn-instance command.

NOTE:

Only the S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this parameter.

VLAN/CEVLAN

ID of the VLAN/CEVLAN to which the ARP entry belongs.

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support the CEVLAN parameter.

In a VXLAN network, SIP and DIP indicate the source and destination IP addresses of a tunnel.

NOTE:

Only the S5720HI, S6720EI, and S6720S-EI support SIP/DIP.

Total

Total number of ARP entries.

Dynamic

Number of dynamic ARP entries.

Static

Number of static ARP entries.

Interface

Number of ARP entries for the interface.

display arp statistics

Function

The display arp statistics command displays ARP entry statistics.

Format

display arp statistics { all | interface interface-type interface-number }

Parameters

Parameter Description Value
all Displays ARP entry statistics of the device. -
interface interface-type interface-number Displays ARP entry statistics of a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To monitor ARP entries or locate the faults in ARP, you can run the display arp statistics command to check ARP entry statistics.

Example

# Display ARP entry statistics.

<HUAWEI> display arp statistics all
Dynamic:1       Static:0
Table 6-12  Description of the display arp statistics all command output

Item

Description

Dynamic

Number of dynamic ARP entries.

Static

Number of static ARP entries.

display arp status

Function

The display arp status command displays the delivery status of ARP entries on a device.

Format

display arp status ip-address [ vpn-instance vpn-instance-name ] slot slot-id

NOTE:

Only the S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support vpn-instance vpn-instance-name.

Parameters

Parameter Description Value
ip-address Specifies an IP address. The value is in dotted decimal notation.
vpn-instance vpn-instance-name Specifies the name of a VPN instance.

The value must be an existing VPN instance name.

slot slot-id Specifies a slot ID. Set the value according to the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display arp status command to check the delivery status of ARP entries with a specified IP address on a device.

Example

# Display the delivery status of ARP entries on card 0.
<HUAWEI> display arp status 10.137.216.1 slot 0
TYPE : D - Dynamic, I - Interface, S - Static                                                                                       
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE                                                      
                                          VLAN/CEVLAN                    STATE                                                             
------------------------------------------------------------------------------                                                      
10.137.216.1    0000-5e00-0149  20        D-0         GE0/0/1                                                                      
                                          4094/-                    Available                                                         
------------------------------------------------------------------------------
Table 6-13  Description of the display arp status command output

Item

Description

IP ADDRESS

IP address in the ARP entry.

MAC ADDRESS

MAC address in the ARP entry.

NOTE:
If the value of MAC ADDRESS is Incomplete, the current ARP entry is a temporary one. When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network segment.
  • When a temporary ARP entry is not aged out, before receiving an ARP Reply packet, the device discards the IP packets matching the temporary ARP entry, and no ARP Miss message is triggered.
  • When a temporary ARP entry is not aged out, after receiving the ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
  • After the temporary ARP entry is aged out, the device deletes this entry.

You can run the arp-fake expire-time command to adjust the aging time of the temporary ARP entry.

EXPIRE(M)

Remaining lifetime of the ARP entry, in minutes.

If the remaining lifetime is 0, ARP entry aging probe is to be started. The ARP entry aging time depends on the number of configured aging probe attempts and the number of ARP entries that need to be aged.

TYPE

Entry type and ID of the slot that obtains the entry. The entry type contains 3 bits. The first bit can be any of the following:
  • I: Interface, indicating the MAC address of the interface

  • D: Dynamic, indicating a dynamic ARP entry

  • S: Static, indicating a static ARP entry

The second bit can only be F, indicating that the ARP entry has been reported to the routing module, the route to this IP address has been calculated, and the entry in the FIB table has been updated. If the entry is not reported to the routing module, this field displays -. For the ARP entry with the type as I, this flag bit does not exist.

NOTE:

VLANIF interface and sub-interfaces for VLAN tag termination ( including QinQ termination sub-interfaces and Dolt1q termination sub-interfaces) on devices report learned ARP entries to the routing module to generate 32-bit host routes (routes destined for complete host addresses). The host routes are accurate and can be used for packet forwarding. Because the forwarding model of the two types of interfaces requires accurate forwarding paths. However, the outbound interfaces of VLANIF interface routes are VLANIF interfaces. VLANIF interfaces are virtual interfaces that may correspond to multiple physical interfaces, and as a result, such routes cannot be used for packet forwarding. Therefore, the VLANIF interfaces report learned ARP entries to the routing module to generate host routes. As for sub-interfaces for VLAN tag termination, they may correspond to multiple VLANs, and the forwarding model requires that packets be sent to a specified VLAN. Therefore, the sub-interfaces for VLAN tag termination also report learned ARP entries to the routing module to generate host routes.

The third bit indicates the ID of the slot that obtains the entry. For the ARP entry with the type as I or S, this field displays -.

INTERFACE

Type and number of the interface that has learned ARP entries.

VPN-INSTANCE

Name of the VPN instance to which the ARP entry belongs.

To configure the VPN instance name, run the ip vpn-instance command.

NOTE:

Only the S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this parameter.

VLAN/CEVLAN

ID of the VLAN/CEVLAN to which the ARP entry belongs.

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support the CEVLAN parameter.

STATE

Whether the ARP entry has been delivered to the chip.

  • Available: The ARP entry has been delivered to the chip.

  • Unavailable: The ARP entry has not been delivered to the chip.

display arp track

Function

The display arp track command displays changes of outbound interfaces in ARP entries learned by a VLANIF interface.

Format

display arp track

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

If the outbound interfaces change in ARP entries learned by a VLANIF interface, traffic may be interrupted. In this case, run the display arp track command to check changes of outbound interfaces and the change time.

Precautions

After the display arp track command is executed, changes of ARP entries are displayed in the following situations:
  • Outbound interfaces in dynamic ARP entries learned by the VLANIF interface change to other interfaces.

  • No outbound interface is specified in the static ARP entries. The outbound interfaces change to other interfaces.

  • Dynamic ARP entries or static ARP entries in which no VLAN ID and outbound interface are specified are deleted.

Changes of ARP entries cannot be displayed in the following situations:
  • ARP entries change on a non-VLANIF interface.

  • New ARP entries are learned.

  • The VLAN ID and outbound interface are manually specified in static ARP entries.

Example

# Display changes of outbound interfaces in ARP entries.

<HUAWEI> display arp track
Operate Flags: M - Modify, D - Delete 
---------------------------------------------------------------------------
Op IP-Address  MAC-Address     VLAN   Old-Port   New-Port   System-Time
---------------------------------------------------------------------------
M  10.1.1.1    0001-0001-0001  1000   GE0/0/1    GE0/0/2    08-19 12:10:12
D  10.2.1.100  0003-0003-0003  300               GE0/0/3    08-19 12:12:12
Table 6-14  Description of the display arp track command output

Item

Description

Op

Operation code.
  • M: Modify, indicating that the outbound interface changes.

  • D: Delete, indicating that the ARP entry is deleted.

IP-Address

IP address in the ARP entry

MAC-Address

MAC address in the ARP entry

VLAN

ID of the VLAN to which the VLANIF interface belongs.

Old-Port

Original outbound interface in the ARP entry.

New-Port

New outbound interface in the ARP entry.

System-Time

System time when the outbound interface changes.

display arp vpn-instance

Function

The display arp vpn-instance command displays ARP entries of a specified VPN instance.

NOTE:

Only the S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this command.

Format

display arp vpn-instance vpn-instance-name [ dynamic | static ]

Parameters

Parameter Description Value
vpn-instance-name Specifies the VPN instance name.

The value must be an existing VPN instance name.

dynamic Displays dynamic ARP entries. -
static Displays static ARP entries. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display arp vpn-instance command to check ARP entries of a specified VPN instance.

Example

# Check all ARP entries learned by the VPN instance r1.

<HUAWEI> display arp vpn-instance r1
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE
                                          VLAN/CEVLAN(SIP/DIP)
------------------------------------------------------------------------------
192.168.1.11    0000-0a41-0201            I -         Vlanif10       r1
192.168.1.1     0000-0a41-0200  12        D-0         Vlanif10       r1
------------------------------------------------------------------------------
Total:2         Dynamic:1       Static:0    Interface:1                
Table 6-15  Description of the display arp vpn-instance command output

Item

Description

IP ADDRESS

IP address in the ARP entry.

MAC ADDRESS

MAC address in the ARP entry.

NOTE:
If the value of MAC ADDRESS is Incomplete, the current ARP entry is a temporary one. When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network segment.
  • When a temporary ARP entry is not aged out, before receiving an ARP Reply packet, the device discards the IP packets matching the temporary ARP entry, and no ARP Miss message is triggered.
  • When a temporary ARP entry is not aged out, after receiving the ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
  • After the temporary ARP entry is aged out, the device deletes this entry.

You can run the arp-fake expire-time command to adjust the aging time of the temporary ARP entry.

EXPIRE(M)

Remaining lifetime of the ARP entry, in minutes.

If the remaining lifetime is 0, ARP entry aging probe is to be started. The ARP entry aging time depends on the number of configured aging probe attempts and the number of ARP entries that need to be aged.

TYPE

Entry type and ID of the slot that obtains the entry. The entry type contains 3 bits. The first bit can be any of the following:
  • I: Interface, indicating the MAC address of the interface

  • D: Dynamic, indicating a dynamic ARP entry

  • S: Static, indicating a static ARP entry

The second bit can only be F, indicating that the ARP entry has been reported to the routing module, the route to this IP address has been calculated, and the entry in the FIB table has been updated. If the entry is not reported to the routing module, this field displays -. For the ARP entry with the type as I, this flag bit does not exist.

NOTE:

VLANIF interface and sub-interfaces for VLAN tag termination ( including QinQ termination sub-interfaces and Dolt1q termination sub-interfaces) on devices report learned ARP entries to the routing module to generate 32-bit host routes (routes destined for complete host addresses). The host routes are accurate and can be used for packet forwarding. Because the forwarding model of the two types of interfaces requires accurate forwarding paths. However, the outbound interfaces of VLANIF interface routes are VLANIF interfaces. VLANIF interfaces are virtual interfaces that may correspond to multiple physical interfaces, and as a result, such routes cannot be used for packet forwarding. Therefore, the VLANIF interfaces report learned ARP entries to the routing module to generate host routes. As for sub-interfaces for VLAN tag termination, they may correspond to multiple VLANs, and the forwarding model requires that packets be sent to a specified VLAN. Therefore, the sub-interfaces for VLAN tag termination also report learned ARP entries to the routing module to generate host routes.

The third bit indicates the ID of the slot that obtains the entry. For the ARP entry with the type as I or S, this field displays -.

INTERFACE

Type and number of the interface that has learned ARP entries.

VPN-INSTANCE

Name of the VPN instance to which the ARP entry belongs.

To configure the VPN instance name, run the ip vpn-instance command.

NOTE:

Only the S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this parameter.

VLAN/CEVLAN

ID of the VLAN/CEVLAN to which the ARP entry belongs.

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support the CEVLAN parameter.

In a VXLAN network, SIP and DIP indicate the source and destination IP addresses of a tunnel.

NOTE:

Only the S5720HI, S6720EI, and S6720S-EI support SIP/DIP.

Total

Total number of ARP entries.

Dynamic

Number of dynamic ARP entries.

Static

Number of static ARP entries.

Interface

Number of ARP entries for the interface.

display mac-address multiport

Function

The display mac-address multiport command displays MAC address entries configured for multiple outbound interfaces.

Format

display mac-address multiport mac-address vlan vlan-id

display mac-address multiport [ vlan vlan-id ] [ total-number ]

NOTE:

Only the S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this command.

Parameters

Parameter Description Value
mac-address Specifies a MAC address. The value is in the H-H-H format. An H contains 1 to 4 hexadecimal digits.
vlan vlan-id Specifies a VLAN. The value is an integer that ranges from 1 to 4094.
total-number Specifies the number of MAC address entries mapping multiple outbound interfaces. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display mac-address multiport command to check MAC address entries configured for multiple outbound interfaces. If no parameter is specified, all MAC address entries configured for multiple outbound interfaces are displayed. To configure MAC address entries mapping multiple outbound interfaces, run the mac-address multiport interface or mac-address multiport command.

Example

# Display MAC address entries configured for multiple outbound interfaces in VLAN 10.

<HUAWEI> display mac-address multiport vlan 10
--------------------------------------------------------------------------------                                                    
MAC Address       VLANID    Out-Interface               Status                                                                      
--------------------------------------------------------------------------------                                                    
0023-0045-0078    10        GigabitEthernet0/0/1        Active                                                                      
                                            1 port(s)                                                                               
--------------------------------------------------------------------------------                                                    
 Total Group(s) : 1  
Table 6-16  Description of the display mac-address multiport command output

Item

Description

MAC Address

-

VLANID

VLAN that the outbound interface mapping the destination MAC address belongs to.

Out-Interface

Outbound interface mapping the destination MAC address.

Status

Current VLAN status, including:
  • InActive: indicates that no VLAN is created or a VLAN is created but no physical interface is added to the VLAN.
  • Active: indicates that a VLAN has been created and physical interfaces are added to the VLAN.

Total Group(s)

Total number of MAC address entries mapping multiple outbound interfaces.

display snmp-agent trap feature-name arp all

Function

The display snmp-agent trap feature-name arp all command displays all traps of the ARP module.

Format

display snmp-agent trap feature-name arp all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The Simple Network Management Protocol (SNMP) is a network management standard protocol widely used on TCP/IP networks. It uses a central computer (a network management station) that runs network management software to manage network elements. The management agent running on a network element can proactively report traps to the management station. In this case, the management station can obtain the network status in real time, helping the network administrator take immediate measures.

After running the snmp-agent trap enable feature-name arp command to enable or disable the trap function of the ARP module, you can run the display snmp-agent trap feature-name arp all command to check all traps of the ARP module.

Example

# Display all traps of the ARP module.

<HUAWEI> display snmp-agent trap feature-name arp all
------------------------------------------------------------------------------                                                      
Feature name: ARP                                                                                                                   
Trap number : 4                                                                                                                     
------------------------------------------------------------------------------                                                      
Trap name                       Default switch status   Current switch status                                                       
hwEthernetARPSpeedLimitAlarm    on                      on                                                                          
hwEthernetARPThresholdExceedAlarm                                                                                                   
                                on                      on                                                                          
hwEthernetARPThresholdResumeAlarm                                                                                                   
                                on                      on                                                                          
hwEthernetARPIPConflictEvent    on                      on 
Table 6-17  Description of the display snmp-agent trap feature-name arp all command output

Item

Description

Feature name

Name of the module that a trap belongs to.

Trap number

Number of traps.

Trap name

Name of a trap. Traps of the ARP module include:
  • hwEthernetARPSpeedLimitAlarm: indicates that the rate of ARP packets exceeds the upper limit (non-excessive trap).
  • hwEthernetARPThresholdExceedAlarm: indicates that the number of ARP entries exceeds threshold.
  • hwEthernetARPThresholdResumeAlarm: indicates that the hwEthernetARPThresholdExceedAlarm trap is cleared.
  • hwEthernetARPIPConflictEvent: indicates that IP addresses conflict.

Default switch status

Default status of a trap. The value can be:
  • on: The trap is enabled.
  • off: The trap is disabled.

Current switch status

Current status of a trap. The value can be:
  • on: The trap is enabled.
  • off: The trap is disabled.

l2-topology detect enable

Function

The l2-topology detect enable command enables Layer 2 topology detection.

The undo l2-topology detect enable command disables Layer 2 topology detection.

By default, Layer 2 topology detection is disabled.

Format

l2-topology detect enable

undo l2-topology detect enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the l2-topology detect enable command is executed, all ARP entries mapping the VLAN to which the Layer 2 interface belongs are updated if the Layer 2 interface turns Up.

NOTE:

When an active/standby switchover is performed in a stack, all ARP entries mapping the VLAN to which the Layer 2 interface belongs are updated.

Example

# Enable Layer 2 topology detection.

<HUAWEI> system-view
[HUAWEI] l2-topology detect enable

mac-address multiport

Function

The mac-address multiport command configures MAC address entries mapping multiple outbound interfaces in the interface view.

The undo mac-address multiport command deletes the MAC address entries mapping multiple outbound interfaces in the interface view.

By default, no MAC address entries on the device map multiple outbound interfaces.

Format

mac-address multiport mac-address vlan vlan-id

undo mac-address multiport mac-address vlan vlan-id

NOTE:

Only the S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this command.

Parameters

Parameter Description Value
mac-address Specifies a MAC address. The value is in the H-H-H format. An H contains 1 to 4 hexadecimal digits.
vlan vlan-id Specifies a VLAN that interfaces belong to. The value is an integer that ranges from 1 to 4094.

Views

GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The servers in an NLB server cluster use the same IP address (cluster IP address) and MAC address (cluster MAC address). When a device functioning as the access gateway connects to the NLB server cluster, the device needs to send the packet destined to the cluster IP address to each server in the cluster. In this case, run the mac-address multiport or mac-address multiport interface command to configure MAC address entries mapping multiple outbound interfaces, and run the arp static command to configure short static ARP entries. By configuring short static ARP entries, you can determine the MAC address and VLAN mapping the cluster IP address. Query the MAC address table based on the MAC address and VLAN to determine multiple outbound interfaces, and then connect the interfaces to the NLB server cluster.

Precautions

The VLAN specified in the mac-address multiport command cannot be a MAC VLAN, super VLAN, leased line VLAN, or control VLAN of Smart Ethernet Protection (SEP) and Rapid Ring Protection Protocol (RRPP).

On the S5720EI, S5720HI, S6720EI, and S6720S-EI, when the outbound interfaces are Eth-Trunk interfaces, you must run the unknown-unicast load-balance enhanced command to configure the load balancing mode for unknown unicast traffic on the interfaces. Otherwise, the configuration is invalid.

Example

# Configure entries of the destination MAC address 03bf-2100-2200 mapping multiple outbound interfaces in VLAN 100 on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] mac-address multiport 03bf-2100-2200 vlan 100
# Configure entries of the destination MAC address 03bf-2100-2200 mapping multiple outbound interfaces in VLAN 100 on Eth-Trunk 6.
<HUAWEI> system-view
[HUAWEI] unknown-unicast load-balance enhanced
[HUAWEI] interface eth-trunk 6
[HUAWEI-Eth-Trunk6] mac-address multiport 03bf-2100-2200 vlan 100

mac-address multiport interface

Function

The mac-address multiport interface command configures MAC address entries mapping multiple outbound interfaces in the system view.

The undo mac-address multiport interface command deletes the MAC address entries mapping multiple outbound interfaces in the system view.

By default, no MAC address entries on the device map multiple outbound interfaces.

Format

mac-address multiport mac-address interface { interface-type interface-number1 [ to interface-type interface-number2 ] } &<1-10> vlan vlan-id

undo mac-address multiport mac-address interface { interface-type interface-number1 [ to interface-type interface-number2 ] } &<1-10> vlan vlan-id

undo mac-address multiport { all | [ mac-address ] vlan vlan-id }

NOTE:

Only the S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this command.

Parameters

Parameter Description Value
mac-address Specifies a MAC address. The value is in the H-H-H format. An H contains 1 to 4 hexadecimal digits.
interface-type interface-number1 [ to interface-type interface-number2 ]
Specifies the interface type and number.
  • interface-type specifies the interface type.
  • interface-number1 specifies the first interface number mapping a MAC address entry.
  • interface-number2 specifies the last interface number mapping a MAC address entry. The value of interface-number2 must be greater than that of interface-number1, and interface-number1 and interface-number2 determine an interface range.
-
vlan vlan-id Specifies a VLAN that interfaces belong to. The value is an integer that ranges from 1 to 4094.
all Specifies all MAC address entries mapping multiple outbound interfaces. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The servers in an NLB server cluster use the same IP address (cluster IP address) and MAC address (cluster MAC address). When a device functioning as the access gateway connects to the NLB server cluster, the device needs to send the packet destined to the cluster IP address to each server in the cluster. In this case, run the mac-address multiport interface or mac-address multiport command to configure MAC address entries mapping multiple outbound interfaces, and run the arp static command to configure short static ARP entries. By configuring short static ARP entries, you can determine the MAC address and VLAN mapping the cluster IP address. Query the MAC address table based on the MAC address and VLAN to determine multiple outbound interfaces, and then connect the interfaces to the NLB server cluster.

Precautions

The VLAN specified in the mac-address multiport interface command cannot be a MAC VLAN, super VLAN, leased line VLAN, or control VLAN of Smart Ethernet Protection (SEP) and Rapid Ring Protection Protocol (RRPP).

On the S5720EI, S5720HI, S6720EI, and S6720S-EI, when the outbound interfaces are Eth-Trunk interfaces, you must run the unknown-unicast load-balance enhanced command to configure the load balancing mode for unknown unicast traffic on the interfaces. Otherwise, the configuration is invalid.

On the S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720SI, and S6720S-SI, when the outbound interfaces are Eth-Trunk interfaces, you must run the load-balance command to configure load balancing based on IP addresses. Otherwise, the configuration is invalid.

Example

# Configure entries of the destination MAC address 02bf-2100-2200 mapping the outbound interfaces GE0/0/1-GE0/0/4 in VLAN 100.
<HUAWEI> system-view
[HUAWEI] mac-address multiport 02bf-2100-2200 interface gigabitethernet 0/0/1 to gigabitethernet 0/0/4 vlan 100
# Configure entries of the destination MAC address 02bf-2100-2200 mapping the outbound interfaces Eth-Trunk 4-Eth-Trunk 6 in VLAN 10.
<HUAWEI> system-view
[HUAWEI] unknown-unicast load-balance enhanced
[HUAWEI] mac-address multiport 02bf-2100-2200 interface eth-trunk 4 to eth-trunk 6 vlan 10

reset arp

Function

The reset arp command clears ARP entries and related packet statistics.

Format

reset arp { dynamic [ ip ip-address [ vpn-instance vpn-instance-name ] ] | interface interface-type interface-number[.subinterface-number ] [ ip ip-address ] | static }

NOTE:

Only the S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support vpn-instance vpn-instance-name.

Parameters

Parameter Description Value
dynamic Clears dynamic ARP entries -
interface interface-type interface-number Specifies the interface type and number.
  • interface-type specifies the type of the interface.
  • interface-number specifies the number of the interface.
-
subinterface-number Specifies the number of a sub-interface. The value is an integer that ranges from 1 to 4096.
ip ip-address

Clears dynamic ARP entries with a specified IP address.

The value is in dotted decimal notation.
vpn-instance vpn-instance-name Specifies the VPN instance name.

The value must be an existing VPN instance name.

static Static ARP entries cannot be restored after being cleared. Exercise caution when you clear static ARP entries. -

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an attacked device learns a large number of invalid ARP entries, ARP entries of valid users may fail to be saved and these users may fail to access the network. The reset arp command can be used to delete ARP entries. After that, the device relearns ARP entries to ensure that users can access the network.

To delete ARP entries based on a certain IP address, you can run the reset arp dynamic ip ip-address [ vpn-instance vpn-instance-name ] or reset arp interface interface-type interface-number[.subinterface-number ] ip ip-address command.

Precautions

  • The reset arp command deletes mappings between IP addresses and MAC addresses. As a result, users may fail to access some network devices and services may be interrupted.

  • The minimum interval for running the command (only the reset arp command in which ip ip-address is not specified) to clear ARP entries is 20 seconds.

Example

# Clear dynamic ARP entries.

<HUAWEI> reset arp dynamic

# Clear dynamic ARP entries of VLANIF 100.

<HUAWEI> reset arp interface vlanif 100

# Clear the dynamic ARP entry corresponding to the IP address of 10.1.1.1 in VPN 1.

<HUAWEI> reset arp ip 10.1.1.1 vpn-instance vpn1

reset arp packet statistics

Function

The reset arp packet statistics command clears the statistics on ARP packets.

Format

reset arp packet statistics

Parameters

None

Views

User view

Default Level

2: Configuration level

Usage Guidelines

You can run the display arp packet statistics command to display the statistics on ARP packets. To obtain correct statistics, run the reset arp packet statistics command to clear existing statistics first.

The reset arp packet statistics command clears the ARP packet statistics on the active switch in a stack system.

Example

# Clear the statistics on all ARP packets.

<HUAWEI> reset arp packet statistics

snmp-agent trap enable feature-name arp

Function

The snmp-agent trap enable feature-name arp command enables the trap function for the ARP module.

The undo snmp-agent trap enable feature-name arp command disables the trap function for the ARP module.

By default, the trap function is enabled for the ARP module.

Format

snmp-agent trap enable feature-name arp [ trap-name trap-name ]

undo snmp-agent trap enable feature-name arp [ trap-name trap-name ]

Parameters

Parameter Description Value
trap-name trap-name Specifies the trap for an event of the ARP module.
  • hwethernetarpspeedlimitalarm: indicates that the rate of ARP packets exceeds the upper limit.
  • hwethernetarpthresholdexceedalarm: indicates that the number of ARP entries exceeds threshold.
  • hwethernetarpthresholdresumealarm: indicates that the hwethernetarpthresholdexceedalarm trap is cleared.
  • hwethernetarpipconflictevent: indicates that IP addresses conflict.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If trap-name is not specified when you run the snmp-agent trap enable feature-name arp command, all the trap functions of the ARP module are enabled.

Example

# Enable the function of the trap indicating that the rate of ARP packets exceeds the upper limit.

<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name arp trap-name hwethernetarpspeedlimitalarm

undo arp learning ip-network-cross enable

Function

The undo arp learning ip-network-cross enable command disables inter-network segment ARP learning on interfaces.

By default, inter-network segment ARP learning is disabled on interfaces.

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this command.

Format

undo arp learning ip-network-cross enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If the system software of a switch is upgraded from V200R005C00 or a later version to V200R010C00SPC600 or a later version, inter-network segment ARP learning is enabled on interfaces by default. If you run the display this include-default command in the system view after the configuration is restored, the command output includes arp learning ip-network-cross enable.

In Figure 6-3, loop prevention protocols have been configured on the switches. Switch can learn the ARP entry containing the IP address 172.16.2.20 of interface IF6 on SwitchB through interface IF2. After proxy ARP is enabled on SwitchA, Switch can learn ARP entries on another network segment, and interface IF1 on Switch can learn the ARP entry containing the IP address 172.16.2.20 of interface IF6 on SwitchB. As a result, the ARP entry learned through interface IF2 is overwritten by that learned through interface IF1, and Switch cannot communicate with SwitchB. In this case, you can run the undo arp learning ip-network-cross enable command to disable inter-network segment ARP learning on interface IF1 of Switch.

Figure 6-3  Networking for disabling inter-network segment ARP learning

Example

# Disable inter-network segment ARP learning on interfaces.

<HUAWEI> system-view
[HUAWEI] undo arp learning ip-network-cross enable
Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000178165

Views: 42116

Downloads: 1103

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next