No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - IP Service

CloudEngine 12800 and 12800E V200R005C00

This document describes the configurations of IP Service, including IP address, ARP, DHCP, DNS, IP performance optimization, IPv6, DHCPv6, and IPv6 DNS.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Egress ARP Inspection

Configuring Egress ARP Inspection



The CE12800E configured with ED-E, EG-E, and EGA-E series cards does not support the function.

Egress ARP inspection enables the switch to restrict the scope of ARP packet forwarding. This function prevents broadcast of ARP packets in a VLAN and reduces the traffic volume in the VLAN. As shown in Figure 2-14, SwitchB is located between DHCP server and user hosts. All the user hosts belong to VLAN 2 and obtain IP addresses through DHCP.

Figure 2-14 EAI networking

If SwitchB broadcasts ARP Request packets in the VLAN, the traffic volume in the VLAN increases. To reduce network loads in the VLAN, enable EAI in this VLAN on SwitchB. Before enabling EAI in a VLAN, run the dhcp snooping enable command to enable DHCP snooping globally.

After EAI is enabled, the switch matches destination IP addresses of received ARP Request packets with dynamic binding entries generated by DHCP snooping to determine outbound interfaces for the packets. If the destination IP address of an ARP Request packet matches a dynamic binding entry, the switch sends the packet to the outbound interface specified in the binding entry. If the outbound interface is the same as the inbound interface of the ARP Request packet, the switch discards the packet. If the destination IP address matches no binding entry, the switch processes the packet as follows:
  • If the ARP Request packet is sent from a trusted interface, the switch forwards the packet to other trusted interfaces. If there is no other trusted interface, the switch discards the packet.

  • If the ARP Request packet is sent from an untrusted interface, the switch forwards the packet to the trusted interface.


  1. Run system-view

    The system view is displayed.

  2. Run dhcp snooping enable

    DHCP snooping is globally enabled.

    By default, DHCP snooping is globally disabled on the device.

  3. Run vlan vlan-id

    The VLAN view is displayed.

  4. Run dhcp snooping arp security enable

    EAI is enabled in the VLAN.

    By default, EAI is disabled.

    • After EAI is enabled, the switch sends all the received ARP Request packets to the CPU for software forwarding, which degrades the ARP packet forwarding performance.

    • EAI and MAC-forced forwarding (MFF) cannot be configured in the same VLAN because the two functions use mutually exclusive ARP mechanisms. MFF uses the proxy ARP mechanism, whereas EAI forwards ARP Request packets.

    • EAI cannot be configured in the super-VLAN.

    • When both EAI and transparent transmission of Layer 2 protocol packets are configured, EAI takes effect preferentially.

  5. Run commit

    The configuration is committed.

Updated: 2019-04-18

Document ID: EDOC1100039535

Views: 47175

Downloads: 27

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Previous Next