Configuring Static ARP
To improve communication security, static ARP entries will not be aged or overridden by dynamic ARP entries.
Context
Static ARP entries protect the ARP table against malicious modification. However, the configuration workload is heavy. Static ARP entries are not suitable for a network where IP addresses of hosts may change, and are suitable for a small-sized network.
You can configure static ARP entries manually or using automatic scanning and fixed ARP. When there are fewer static ARP entries, configure them manually. When there are a large number of static ARP entries and the IP addresses in the entries are on the same network segment with the VLANIF interface IP addresses, use automatic scanning and fixed ARP to configure the static ARP entries.
If the outbound interface is an Ethernet interface in Layer 2 mode, you are advised to configure a long static ARP entry. Specify the VLAN and outbound interface when configuring the entry.
Procedure
- Run system-view
The system view is displayed.
- Run arp static ip-address mac-address [ vpn-instance vpn-instance-name ] or arp static ip-address mac-address vid vlan-id [ cevid ce-vid ] interface interface-type interface-number
A static ARP entry is configured.
- For Layer 3 physical interfaces and Layer 3 Eth-Trunk interfaces, run the arp static ip-address mac-address command to configure static ARPentries.
- For VLANIF interfaces and Dot1q termination sub-interfaces, run the arp static ip-address mac-address vid vlan-id interface interface-type interface-number command to configure static ARP entries.
- For QinQ termination sub-interfaces, run the arp static ip-address mac-address vid vlan-id cevid ce-vid interface interface-type interface-number command to configure static ARP mapping entries with double tags. vid specified in this command must be the same as pe-vid in the qinq termination pe-vid ce-vid command, and ce-vid must be within the value range of ce-vid in the qinq termination pe-vid ce-vid command.
- For interfaces bound to a VPN instance:
- For Layer 3 physical interfaces and Layer 3 Eth-Trunk interfaces, run the arp static ip-address mac-address vpn-instance vpn-instance-name command to configure static ARP entries.
- For VLANIF interfaces and Dot1q termination sub-interfaces, run the arp static ip-address mac-address vid vlan-id interface interface-type interface-number command to configure static ARP entries.
- For QinQ termination sub-interfaces, run the arp static ip-address mac-address vid vlan-id cevid ce-vid interface interface-type interface-number command to configure static ARP mapping entries with double tags. vid specified in this command must be the same as pe-vid in the qinq termination pe-vid ce-vid command, and ce-vid must be within the value range of ce-vid in the qinq termination pe-vid ce-vid command.
Verifying the Configuration
Run the display arp [ all | brief ] command to check all ARP mapping entries.
Run the display arp network net-number net-mask [ dynamic | static ] command to check ARP mapping entries of a specified network segment.
Run the display arp static command to check static ARP mapping entries.
Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-id ] ] command to check ARP mapping entries of a specified interface.
Run the display arp vpn-instance vpn-instance-name static command to check static ARP mapping entries of a specified VPN instance.