Dynamic ARP entry check disables a device from supporting dynamic ARP entries with multicast MAC addresses. The device cannot learn dynamic ARP entries containing multicast MAC addresses. You cannot manually add static ARP entries that contain multicast MAC addresses.

When dynamic ARP entry check is disabled, ARP entries containing multicast MAC addresses are supported. The device can learn dynamic ARP entries containing multicast MAC addresses obtained from the ARP packets sourced from a unicast MAC address. You can also manually add static ARP entries containing multicast MAC addresses.

Examples

# Enable dynamic ARP entry check.

<Sysname> system-view

[Sysname] arp check enable

arp check log enable

Use arp check log enable to enable the ARP logging feature.

Use undo arp check log enable to disable the ARP logging feature.

Syntax

arp check log enable

undo arp check log enable

Default

ARP logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables a device to log ARP events when ARP cannot resolve IP addresses correctly. The log information helps administrators locate and solve problems. The device can log the following ARP events:

· On a proxy ARP-disabled interface, the target IP address of a received ARP packet is not one of the following IP addresses:

¡ The IP address of the receiving interface.

¡ The virtual IP address of the VRRP group.

· The sender IP address of a received ARP reply conflicts with one of the following IP addresses:

¡ The IP address of the receiving interface.

¡ The virtual IP address of the VRRP group.

The device sends ARP log messages to the information center. You can use the info-center source command to specify the log output rules for the information center. For more information about information center, see Network Management and Monitoring Configuration Guide.

The device can generate a large number of ARP logs. To conserve system resources, enable ARP logging only when you are auditing or troubleshooting ARP events.

Examples

# Enable ARP logging.

<Sysname> system-view

[Sysname] arp check log enable

arp hardware log enable

Use arp hardware log enable to enable error logging for ARP entry deployment to hardware.

Use undo arp hardware log enable to disable error logging for ARP entry deployment to hardware.

Syntax

arp hardware log enable [ count-limit count-limit-value ]

undo arp hardware log enable

Default

Error logging for ARP entry deployment to hardware is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

count-limit count-limit-value: Specifies the maximum number of logs that can be output per second about ARP entry deployment to hardware. If you do not specify this option, the device outputs a maximum of 2000 logs per second about ARP entry deployment to hardware.

Usage guidelines

After the device learns ARP entries, it deploys the ARP entries to hardware for packet forwarding. After you execute this command, the device logs the errors that occur during the deployment. The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.

Log generation occupies memory. As a best practice, enable this feature only when traffic forwarding is abnormal for troubleshooting.

If the maximum number of logs that can be output per second is reached, no new error logs will be output.

Examples

# Enable error logging for ARP entry deployment to hardware and set the maximum number of logs that can be output per second to 100.

<Sysname> system-view

[Sysname] arp hardware log enable count-limit 100

arp mac-interface-consistency check enable

Use arp mac-interface-consistency check enable to enable interface consistency check between ARP and MAC address entries.

Use undo arp mac-interface-consistency check enable to disable interface consistency check between ARP and MAC address entries.

Syntax

arp mac-interface-consistency check enable

undo arp mac-interface-consistency check enable

Default

Interface consistency check between ARP and MAC address entries is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

In an unstable network, the receiving interface for packets from a user might change. The interface in the MAC address entry can be updated immediately while the interface in the ARP entry cannot. In this case, the packets matching the ARP entry will be sent out of an incorrect interface. To solve this problem, you can use this feature to periodically check the interface consistency between the ARP and MAC address entry for a user. If the interfaces are not the same, ARP sends ARP requests in the VLAN of the ARP entry and updates the entry with the ARP reply receiving interface.

Use the display mac-address command to display MAC address entries.

Examples

# Enable interface consistency check between ARP and MAC address entries.

<Sysname> system-view

[Sysname] arp mac-interface-consistency check enable

Related commands

display mac-address (Layer 2—LAN Switching Command Reference)

arp max-learning-num

Use arp max-learning-num to set the dynamic ARP learning limit for an interface.

Use undo arp max-learning-num to restore the default.

Syntax

arp max-learning-num max-number [ alarm alarm-threshold ]

undo arp max-learning-num

Default

The dynamic ARP learning limit for an interface depends on the maximum free space of the ARP table.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VXLAN VSI interface view

VLAN interface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of dynamic ARP entries for an interface. The value range for this argument is 0 to 49152.

alarm alarm-threshold: Specifies an alarm threshold for dynamic ARP learning, in percentage. The value range for the alarm-threshold argument is 1 to 100. The device generates a log message when the number of dynamic ARP entries learned on an interface reaches the value calculated by using the formula: (max-number × alarm-threshold)/100. If you do not specify the alarm threshold, the device does not generate log messages.

Usage guidelines

An interface can dynamically learn ARP entries. To prevent an interface from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the interface can learn. When the maximum number is reached, the interface stops learning ARP entries.

When the number argument is set to 0, the interface is disabled from learning dynamic ARP entries.

Examples

# Specify VLAN-interface 40 to learn a maximum of 10 dynamic ARP entries.

<Sysname> system-view

[Sysname] interface vlan-interface 40

[Sysname-Vlan-interface40] arp max-learning-num 10

# Specify Ten-GigabitEthernet 1/0/1 to learn a maximum of 10 dynamic ARP entries.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] arp max-learning-num 10

# Specify Layer 2 aggregate interface Bridge-Aggregation 1 to learn a maximum of 10 dynamic ARP entries.

<Sysname> system-view

[Sysname] interface bridge-aggregation 1

[Sysname-Bridge-Aggregation1] arp max-learning-num 10

# Specify Layer 3 aggregate interface Route-Aggregation 1 to learn a maximum of 10 dynamic ARP entries.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] arp max-learning-num 10

arp max-learning-number

Use arp max-learning-number to set the dynamic ARP learning limit for a device.

Use undo arp max-learning-number to restore the default.

Syntax

arp max-learning-number max-number slot slot-number

undo arp max-learning-number slot slot-number

Default

The dynamic ARP learning limit for a device depends on the maximum free space of the ARP table.

Views

System view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of dynamic ARP entries for a device. The value range for this argument is 0 to 49152.

slot slot-number: Specifies an IRF member device by its member ID.

Usage guidelines

A device can dynamically learn ARP entries. To prevent a device from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the device can learn. When the maximum number is reached, the device stops learning ARP entries.

When the number argument is set to 0, the device is disabled from learning dynamic ARP entries.

Examples

# Set the ARP learning limit to 64 for slot 1.

<Sysname> system-view

[Sysname] arp max-learning-number 64 slot 1

arp multiport

Use arp multiport to configure a multiport ARP entry.

Use undo arp to delete an ARP entry.

Syntax

arp multiport ip-address mac-address vlan-id [ vpn-instance vpn-instance-name ] [ description text ]

undo arp ip-address [ vpn-instance-name ]

Default

No multiport ARP entries exist.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: Specifies an IP address for the multiport ARP entry.

mac-address: Specifies a MAC address for the multiport ARP entry, in the format of H-H-H.

vlan-id: Specifies a VLAN for the multiport ARP entry, in the range of 1 to 4094. The specified VLAN must already exist.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the multiport ARP entry belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. The specified VPN instance must already exist. To specify a multiport ARP entry on the public network, do not specify this option.

description text: Specifies the description for the multiport ARP entry, a case-sensitive string of 1 to 255 characters.

Usage guidelines

For easy identification of multiport ARP entries, you can configure a description for each multiport ARP entry.

If the corresponding VLAN or the VLAN interface is deleted, the multiport ARP entry is also deleted.

To make the multiport ARP entry effective for packet forwarding, you must configure a multicast or multiport unicast MAC address entry to specify multiple output interfaces. The MAC address entry must have the same MAC address and VLAN ID as the multiport ARP entry. In addition, the IP address in the multiport ARP entry must reside on the same subnet as the VLAN interface of the specified VLAN.

Examples

# Configure a multiport ARP entry that contains IP address 202.38.10.2 and MAC address 00e0-fc01-0000 in VLAN 10.

<Sysname> system-view

[Sysname] arp multiport 202.38.10.2 00e0-fc01-0000 10

Related commands

display arp multiport

reset arp multiport

arp smooth

Use arp smooth to synchronize ARP entries from the master device to all subordinate devices.

Syntax

arp smooth

Views

User view

Predefined user roles

network-admin

Examples

# Synchronize ARP entries from the master device to all subordinate devices.

<Sysname> arp smooth

arp static

Use arp static to configure a static ARP entry.

Use undo arp to delete an ARP entry.

Syntax

arp static ip-address mac-address [ vlan-id interface-type interface-number | vsi-interface vsi-interface-id tunnel number vsi vsi-name | vsi-interface vsi-interface-id interface-type interface-number service-instance instance-id vsi vsi-name ] [ vpn-instance vpn-instance-name ] [ description text ]

undo arp ip-address [ vpn-instance-name ]

Default

No static ARP entries exist.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: Specifies an IP address for the static ARP entry.

mac-address: Specifies a MAC address for the static ARP entry, in the format of H-H-H.

vlan-id: Specifies the ID of a VLAN to which the static ARP entry belongs. The value range is 1 to 4094.

interface-type interface-number : Specifies an interface by its type and number.

vsi-interface vsi-interface-id: Specifies a VSI interface by its number. The VSI interface must already exist.

tunnel number: Specifies a tunnel interface by its number. The tunnel interface must already exist.

vsi vsi-name: Specifies a VSI by its name, a case-sensitive string of 1 to 31 characters.

service-instance instance-id: Specifies an Ethernet service instance by its ID in the range of 1 to 4096. You must specify this option if you specify a Layer 2 Ethernet interface for the preceding interface-type interface-number arguments. Do not specify this option if you specify an interface of other types for the preceding interface-type interface-number argument.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the static ARP entry belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. The VPN instance must already exist. To specify a static ARP entry on the public network, do not specify this option.

description text: Specifies the description for the static ARP entry, a case-sensitive string of 1 to 255 characters.

Usage guidelines

A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten by any dynamic ARP entry.

Static ARP entries can be short or long.

A resolved short static ARP entry becomes unresolved upon certain events, for example, when the resolved output interface goes down, or the corresponding VLAN or VLAN interface is deleted.

Long static ARP entries are effective or ineffective. Ineffective long static ARP entries cannot be used for packet forwarding. A long static ARP entry is ineffective when any of the following conditions exists:

· The IP address in the entry conflicts with a local IP address.

· No local interface has an IP address in the same subnet as the IP address in the ARP entry.

If you specify the vlan-id interface-type interface-number argument, follow these restrictions and guidelines:

· The interface can be an Ethernet interface or an aggregate interface.

· The VLAN and VLAN interface must already exist. The specified Ethernet interface must belong to the specified VLAN.

· The IP address of the VLAN interface and the IP address specified by the ip-address argument must be on the same network.

· A long static ARP entry for a VLAN is deleted if the VLAN or VLAN interface is deleted.

On a VXLAN IP gateway that forwards traffic among VXLANs through VXLAN tunnels, a VSI interface can act as the gateway for multiple VXLANs. The VSI interface (input interface) might be connected to multiple VXLAN tunnel interfaces (output interfaces). In this case, you must specify the vsi-interface vsi-interface-id tunnel number vsi vsi-name parameters to identify a VSI interface-VSI-VXLAN tunnel interface binding. For more information about VSI interfaces, VSI, and VXLAN tunnel interfaces, see VXLAN Configuration Guide.

On a VXLAN IP gateway that forwards traffic from multiple local sites to remote sites, a VSI interface can act as the gateway for multiple local sites. The VSI interface (input interface) might be associated with multiple Ethernet services (output interfaces) on Layer 2 Ethernet interfaces through which the VSI interface connects to the local sites. In this case, you must specify the vsi-interface vsi-interface-id interface-type interface-number service-instance instance-id vsi vsi-name parameters to identify a VSI interface-Layer 2 Ethernet interface-Ethernet service instance-VSI binding. For more information about VSI interfaces, VSI, and Ethernet service instances, see VXLAN Configuration Guide.

For easy identification of static ARP entries, you can configure a description for each static ARP entry.

Examples

# Configure a long static ARP entry that contains IP address 202.38.10.2, MAC address 00e0-fc01-0000, and output interface Ten-GigabitEthernet 1/0/1 in VLAN 10.

<Sysname> system-view

[Sysname] arp static 202.38.10.2 00e0-fc01-0000 10 ten-gigabitethernet 1/0/1

# Configure a long static ARP entry that contains IP address 1.1.1.1, MAC address 00e0-fc01-0000, input interface VSI-interface 1, output interface Tunnel 1, and the VSI a.

<Sysname> system-view

[Sysname] arp static 1.1.1.1 00e0-fc01-0000 vsi-interface 1 tunnel 1 vsi a

# Configure a long static ARP entry that contains IP address 1.1.1.1, MAC address 00e0-fc01-0000, input interface VSI-interface 1, output interface Ethernet instance 1 on Ten-GigabitEthernet 1/0/1, and VSI a.

<Sysname> system-view

[Sysname] arp static 1.1.1.1 00e0-fc01-0000 vsi-interface 1 ten-gigabitethernet 1/0/1 service-instance 1 vsi a

Related commands

display arp

reset arp

arp timer aging

Use arp timer aging to set the aging timer for dynamic ARP entries.

Use undo arp timer aging to restore the default.

Syntax

arp timer aging { aging-minutes | second aging-seconds }

undo arp timer aging

Default

In system view, the aging timer for dynamic ARP entries is 20 minutes.

In interface view, the aging timer for dynamic ARP entries is the aging timer set in system view.

Views

System view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VXLAN VSI interface view

VLAN interface view

Predefined user roles

network-admin

Parameters

aging-minutes: Specifies the aging timer in minutes. The value range for this argument is 1 to 1440.

second aging-seconds: Specifies the aging timer in seconds. The value range for the aging-seconds argument is 5 to 86400.

Usage guidelines

Each dynamic ARP entry in the ARP table has a limited lifetime, called an aging timer. The aging timer of a dynamic ARP entry is reset each time the dynamic ARP entry is updated. Dynamic ARP entries that are not updated before their aging timers expire are deleted from the ARP table.

You can set the aging timer for dynamic ARP entries in system view or in interface view. The aging timer set in interface view takes precedence over the aging timer set in system view.

Set the aging timer for dynamic ARP entries as needed. For example, when you configure proxy ARP, set a short aging time so that invalid dynamic ARP entries can be deleted in a timely manner.

Examples

# Set the aging timer for dynamic ARP entries to 10 minutes.

<Sysname> system-view

[Sysname] arp timer aging 10

# Set the aging timer for dynamic ARP entries to 200 seconds.

<Sysname> system-view

[Sysname] arp timer aging second 200

# Set the aging timer for dynamic ARP entries to 200 seconds on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] arp timer aging second 200

Related commands

arp timer aging probe-count

arp timer aging probe-interval

display arp timer aging

arp timer aging probe-count

Use arp timer aging probe-count to set the maximum number of probes for dynamic ARP entries.

Use undo arp timer aging probe-count to restore the default.

Syntax

arp timer aging probe-count count

undo arp timer aging probe-count

Default

In system view, the maximum number of probes for dynamic ARP entries is 3.

In interface view, the maximum number of probes for dynamic ARP entries is that set in system view.

Views

System view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VXLAN VSI interface view

VLAN interface view

Predefined user roles

network-admin

Parameters

count: Specifies the maximum number of probes. The value range for this argument is 0 to 10. To disable the device from probing dynamic ARP entries, set the value to 0.

Usage guidelines

This probe mechanism keeps legal dynamic ARP entries valid and avoids unnecessary ARP resolution in later traffic forwarding. This probe feature sends ARP requests for the IP address in a dynamic ARP entry.

· If the device receives an ARP reply before the entry aging timer expires, the device resets the aging timer.

· If the device does not receive any ARP reply after the maximum number of probes is made, the device deletes the entry when the entry aging timer expires.

You can set the maximum number of probes in system view and in interface view. The setting in interface view takes precedence over that in system view.

Examples

# Allow the device to perform a maximum of five probes for dynamic ARP entries.

<Sysname> system-view

[Sysname] arp timer aging probe-count 5

# Allow the device to perform a maximum of five probes for dynamic ARP entries on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] arp timer aging probe-count 5

Related commands

arp timer aging

arp timer aging probe-interval

Use arp timer aging probe-interval to set the interval for probing dynamic ARP entries.

Use undo arp timer aging probe-interval to restore the default.

Syntax

arp timer aging probe-interval interval

undo arp timer aging probe-interval

Default

In system view, the probe interval is 5 seconds.

In interface view, the probe interval equals the setting in system view.

Views

System view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VXLAN VSI interface view

VLAN interface view

Predefined user roles

network-admin

Parameters

Interval: Specifies the probe interval in seconds. The value range is 1 to 60.

Usage guidelines

The probing feature keeps legal dynamic ARP entries valid and avoids unnecessary ARP resolution during later traffic forwarding.

Before a dynamic ARP entry is aged out, the device sends ARP requests for the IP address in the ARP entry.

· If the device receives an ARP reply during the probe interval, the device resets the aging timer.

· If the device does not receive any ARP reply during the probe interval, the device starts a new probe.

· If the maximum number probes are made, and still no ARP reply is received, the device deletes the entry.

You can set the probe interval in system view and in interface view. The probe interval in interface view takes precedence over the probe interval in system view.

Examples

# Set the probe interval to 10 seconds for dynamic ARP entries.

<Sysname> system-view

[Sysname] arp timer aging probe-interval 10

# Set the probe interval to 10 seconds for dynamic ARP entries on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] arp timer aging probe-interval 10

Related commands

arp timer aging

arp timer aging probe-count

arp topology-change enable

Use arp topology-change enable to enable the device to age or delete ARP entries in response to network topology changes.

Use undo arp topology-change enable to disable the device from aging or deleting ARP entries in response to network topology changes.

Syntax

arp topology-change enable

undo arp topology-change enable

Default

The device ages or deletes ARP entries in response to network topology changes.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

After you configure STP for the device in a tree-shaped network topology, the system notifies the ARP module to age or delete the learned ARP entries when the loop protocol detects a network topology change. Then, the device must learn ARP entries again to obtain the latest ARP entry information. If the network topology changes frequently, a large number of ARP packets might occur when the device relearns ARP entries, which occupies too many system resources and affects the normal operation of other services. To avoid such an issue, you can execute the undo arp topology-change enable command. Even if the network topology changes, the device does not age or delete ARP entries.

Restrictions and guidelines

After you execute the undo arp topology-change enable command, the ARP entries saved by the device might not be the latest ones, which causes user traffic interruption. As a best practice, use this command only when necessary.

Examples

# Disable the device from aging or deleting ARP entries in response to network topology changes.

<Sysname> system-view

[Sysname] undo arp topology-change enable

Related commands

stp enable (Layer 2—LAN Switching Command Reference)

arp user-ip-conflict record enable

Use arp user-ip-conflict record enable to enable recording user IP address conflicts.

Use undo arp user-ip-conflict record enable to disable recording user IP address conflicts.

Syntax

arp user-ip-conflict record enable

undo arp user-ip-conflict record enable

Default

Recording user IP address conflicts is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to detect and record user IP address conflicts. The device determines that a conflict occurs if an incoming ARP packet has the same sender IP address as an existing ARP entry but a different sender MAC address. The device generates a user IP address conflict record, logs the conflict, and sends the log to the information center. For information about the log destination and output rule configuration, see the information center in Network Management and Monitoring Configuration Guide.

An IRF member device can generate a maximum of 10 user IP address conflict logs per second.

To display user IP address conflict records, use the display arp user-ip-conflict record command.

Examples

# Enable recording user IP address conflicts.

<Sysname> system-view

[Sysname] arp user-ip-conflict record enable

Related commands

display arp user-ip-conflict record

arp user-move record enable

Use user-move record enable to enable recording user port migrations.

Use undo arp user-move record enable to disable recording user port migrations.

Syntax

arp user-move record enable

undo arp user-move record enable

Default

Recording user port migrations is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Each IRF member device can generate a maximum of 10 user port migration logs per second.

To display user port migration records, use the display arp user-move record command.

Examples

# Enable recording user port migration.

<Sysname> system-view

[Sysname] arp user-move record enable

Related commands

display arp user-move record

display arp

Use display arp to display ARP entries.

Syntax

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays all ARP entries.

dynamic: Displays dynamic ARP entries.

multiport: Displays multiport ARP entries.

static: Displays static ARP entries.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ARP entries for the master device.

vlan vlan-id: Specifies a VLAN by its VLAN ID. The VLAN ID is in the range of 1 to 4094.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays ARP entries for all interfaces.

count: Displays the number of ARP entries.

verbose: Displays detailed information about ARP entries.

Usage guidelines

This command displays information about ARP entries, including the IP address, MAC address, VLAN ID, output interface, entry type, and aging timer.

Examples

# Display all ARP entries.

<Sysname> display arp all

Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid

IP address MAC address VLAN/VSI name Interface Aging Type

1.1.1.1 02e0-f102-0023 1 XGE1/0/1 -- S

1.1.1.2 00e0-fc00-0001 12 XGE1/0/2 960 D

1.1.1.3 00e0-fe50-6503 vsi1 Tunnel1 960 D

1.1.1.4 00e0-fe60-5000 vsi2 -- -- M

# Display detailed information about all ARP entries.

IP address : 1.1.1.1 MAC address : 02e0-f102-0023

Type : Static Aging : --

Interface : XGE1/0/1 VLAN : 1

VPN instance : --

Link ID : --

Service instance : 1

VXLAN ID : --

VSI name : --

VSI interface : --

Nickname : --

Description : User1

IP address : 1.1.1.2 MAC address : 0015-e944-adc5

Type : Dynamic Aging : 960 sec

Interface : XGE1/0/2 VLAN : 12

VPN instance : --

Link ID : --

Service instance : --

VXLAN ID : --

VSI name : --

VSI interface : --

Nickname : --

Description : --

IP address : 1.1.1.3 MAC address : 0013-1234-0001

Type : Dynamic Aging : 960 sec

Interface : Tunnel1 VLAN : --

VPN instance : --

Link ID : 0x5000001

Service instance : --

VXLAN ID : --

VSI name : vsi1

VSI interface : Vsi1

Nickname : --

Description : --

IP address : 1.1.1.4 MAC address : 00e0-fe60-5000

Type : Multiport Aging : --

Interface : -- VLAN : --

VPN instance : --

Link ID : --

Service instance : --

VXLAN ID : 1

VSI name : vsi2

VSI interface : Vsi1

Nickname : --

Description : User2

# Display the number of all ARP entries.

<Sysname> display arp all count

Total number of entries : 4

Table 1 Command output

Field	Description
IP address	IP address in an ARP entry.
MAC address	MAC address in an ARP entry.
VLAN/VSI name	ID of the VLAN or name of the VSI to which the ARP entry belongs. This field displays hyphens (--) in either of the following situations: · The ARP entry is an unresolved short static ARP entry. The output interface of the ARP entry does not belong to the VLAN or VSI.
Interface	Output interface in an ARP entry. This field displays hyphens (--) in either of the following situations: The ARP entry is an unresolved short static ARP entry. The ARP entry is a multiport ARP entry and has no output interface information. To obtain the output interface information of the multiport ARP entry, look up the MAC address table according to the MAC address in the ARP entry.
Link ID	Link ID in an ARP entry. This field displays hyphens (--) if the ARP entry does not belong to any VSI.
Aging	Aging time for an ARP entry in seconds. For a static ARP entry, this field always displays hyphens (--). The static ARP entry never ages out unless you delete it manually. For a dynamic ARP entry, this field displays hyphens (--) if the aging time is unknown.
Type	ARP entry type: · D—Dynamic. · S—Static. · O—OpenFlow. · R—Rule. · M—Multiport. · I—Invalid.
VPN instance	Name of VPN instance. If no VPN instance is configured for the ARP entry, this field displays hyphens (--).
Service instance	Ethernet service instance in an ARP entry. This field displays hyphens (--) if no Ethernet service instance is specified for the Layer 2 Ethernet interface or Layer 2 aggregate interface in the ARP entry.
VXLAN ID	ID of the VXLAN to which the ARP entry belongs. VXLAN ID is also called VNI. If the ARP entry does not belong to any VXLAN, this field displays hyphens (--).
VSI name	Name of the VSI to which the ARP entry belongs. If the ARP entry does not belong to any VSI, this field displays hyphens (--).
VSI interface	Name of the gateway interface of the VSI. If no gateway interface is specified for the VSI, this field displays hyphens (--).
Nickname	Nickname of the ARP entry. The nickname is a string of four hexadecimal numbers, for example, 012a.
Description	Description of the ARP entry. If no description is configured for the ARP entry, this field displays hyphens (--).
Total number of entries	Number of ARP entries.

‌

Related commands

arp multiport

arp static

reset arp

display arp entry-limit

Use display arp entry-limit to display the maximum number of ARP entries that a device supports.

Syntax

display arp entry-limit

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the maximum number of ARP entries that the device supports.

<Sysname> display arp entry-limit

ARP entries: 2048

display arp ip-address

Use display arp ip-address to display the ARP entry for an IP address.

Syntax

display arp ip-address [ slot slot-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip-address: Displays the ARP entry for the specified IP address.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information for the master device.

verbose: Displays the detailed information about the specified ARP entry.

Usage guidelines

The ARP entry information includes the IP address, MAC address, VLAN ID, output interface, entry type, and aging timer.

Examples

# Display the ARP entry for the IP address 20.1.1.1.

<Sysname> display arp 20.1.1.1

Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid

IP address MAC address VLAN/VSI name Interface Aging Type

20.1.1.1 00e0-fc00-0001 -- -- -- S

Related commands

arp static

reset arp

display arp openflow count

Use display arp openflow count to display the number of OpenFlow ARP entries.

Syntax

display arp openflow count [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the number of OpenFlow ARP entries for the master device.

Examples

# Display the number of OpenFlow ARP entries.

<Sysname> display arp openflow count

Total number of OpenFlow ARP entries: 6

display arp timer aging

Use display arp timer aging to display the aging timer of dynamic ARP entries.

Syntax

display arp timer aging

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

This command always displays the aging time in seconds no matter which unit you set in the arp timer aging command.

Examples

# Display the aging timer of dynamic ARP entries.

<Sysname> display arp timer aging

Current ARP aging time is 1200 seconds

Related commands

arp timer aging

display arp usage

Use display arp usage to display the ARP table usage.

Syntax

display arp usage

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

This command displays the maximum number of ARP entries supported on the device in addition to the history ARP table usage. You can use this command to monitor the number of ARP entries on the device and to determine whether ARP flood attacks exist on the network.

The device can display the ARP table usage only in the most recent hour.

Examples

# Display the ARP table usage.

<Sysname> display arp usage

ARP table upper limit: 65000

Time ARP entry count Usage

Current 52000 80%

1 min ago 51351 79%

2 min ago 50711 78%

3 min ago 47748 77%

…

59 min ago 13656 21%

60 min ago 13007 20%

Table 2 Command output

Field	Description
ARP table upper limit	Maximum number of ARP entries supported on the device.
Time	Time when the number of ARP entries was counted. This field displays Current if the number of ARP entries was counted just now.
ARP entry count	Number of ARP entries.
Usage	ARP table usage, which is the ratio of the real-time ARP entry count to the ARP table upper limit.

display arp user-ip-conflict record

Use display arp user-ip-conflict record to display user IP address conflict records.

Syntax

display arp user-ip-conflict record [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays user IP address conflict records on all member devices.

Usage guidelines

Each IRF member device can save a maximum of 200 user IP address conflict records.

If the maximum number is reached, a new record will override the earliest record.

Examples

# Display all user IP address conflict records.

<Sysname> display arp user-ip-conflict record

IP address: 10.1.1.1

System time: 2018-02-02 11:22:29

Conflict count: 1

Log suppress count: 0

Old interface: Ten-GigabitEthernet1/0/1

New interface: Ten-GigabitEthernet1/0/2

Old SVLAN/CVLAN: 100/2

New SVLAN/CVLAN: 100/2

Old MAC: 00e0-ca63-8141

New MAC: 00e0-ca63-8142

IP address: 10.1.1.2

System time: 2018-02-02 10:20:30

Conflict count: 1

Log suppress count: 0

Old interface: Ten-GigabitEthernet1/0/1

New interface: Ten-GigabitEthernet1/0/2

Old SVLAN/CVLAN: 100/--

New SVLAN/CVLAN: 100/--

Old MAC: 00e0-ca63-8141

New MAC: 00e0-ca63-8142

Table 3 Command output

Field	Description
IP address	IP address of a user.
System time	Time when the user IP address conflict occurred.
Conflict count	Number of times that conflicts for the IP address.
Log suppress count	Number of times that user IP address conflict logs are suppressed.
Old interface	Output interface in the old ARP entry.
New interface	Output interface in the new ARP entry.
Old SVLAN/CVLAN	ID of the outer VLAN or inner VLAN in the old ARP entry. This field displays hyphens (--) if the ARP entry does not belong to any outer VLAN or inner VLAN.
New SVLAN/CVLAN	ID of the outer VLAN or inner VLAN in the new ARP entry. This field displays hyphens (--) if the ARP entry does not belong to any outer VLAN or inner VLAN.
Old MAC	MAC address in the old ARP entry.
New MAC	MAC address in the new ARP entry.

Related commands

arp user-ip-conflict record enable

display arp user-move record

Use display arp user-move record to display user port migration records.

Syntax

display arp user-move record [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays user port migration records on all member devices.

Usage guidelines

Each IRF member device can save a maximum of 200 user port migration records.

When the number of user port migration records reaches the upper limit, new records will overwrite the earliest ones.

Examples

# Display all user port migration records.

<Sysname> display arp user-move record

IP address: 10.1.1.1

MAC address: 0001-0201-0e81

System time: 2018-02-02 11:22:29

Move count: 1

Log suppress count: 0

Before:

interface: Ten-GigabitEthernet1/0/1

SVLAN/CVLAN: 100/2

After:

interface: Ten-GigabitEthernet1/0/2

SVLAN/CVLAN: 100/2

IP address: 10.1.1.2

MAC address: 0001-0201-0e82

System time: 2018-02-02 10:20:30

Move count: 1

Log suppress count: 0

Before:

interface: Ten-GigabitEthernet1/0/1

SVLAN/CVLAN: 100/--

After:

interface: Ten-GigabitEthernet1/0/2

SVLAN/CVLAN: 100/--

Table 4 Command output

Field	Description
IP address	IP address of the user.
MAC address	MAC address of the user.
System time	Time when the user port migration occurred.
Move count	Number of times that user port migrated.
Log suppress count	Number of times that the generation of user port migration logs is suppressed.
Interface	Output interface in the ARP entry.
SVLAN/CVLAN	ID of the outer VLAN or inner VLAN in the ARP entry. This field displays hyphens (--) if the ARP entry does not belong to any outer VLAN or inner VLAN.

Related commands

arp user-move record enable

display arp vpn-instance

Use display arp vpn-instance to display the ARP entries for a VPN instance.

Syntax

display arp vpn-instance vpn-instance-name [ count | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The VPN instance name cannot contain any spaces.

count: Displays the number of ARP entries.

verbose: Displays detailed information about ARP entries.

Usage guidelines

This command displays information about ARP entries for a VPN instance, including the IP address, MAC address, VLAN ID, output interface, entry type, and aging timer.

Examples

# Display ARP entries for VPN instance test.

<Sysname> display arp vpn-instance test

Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid

IP address MAC address VLAN/VSI name Interface Aging Type

20.1.1.1 00e0-fc00-0001 -- -- -- S

Related commands

arp static

reset arp

Use reset arp to clear ARP entries from the ARP table.

Syntax

reset arp { all | dynamic | interface interface-type interface-number | multiport | slot slot-number | static }

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears all ARP entries.

dynamic: Clears all dynamic ARP entries.

multiport: Clears all multiport ARP entries.

static: Clears all static ARP entries.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears ARP entries for the master device.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears ARP entries for all interfaces.

Usage guidelines

CAUTION:

The reset arp command will clear existing ARP entries from the ARP table. It might cause that external users cannot quickly communicate with the LAN users. Make sure you are fully aware of the impacts of this command when you use it on a live network.

Examples

# Clear all static ARP entries.

<Sysname> reset arp static

Related commands

arp static

display arp

Gratuitous ARP commands

arp ip-conflict log prompt

Use arp ip-conflict log prompt to enable IP conflict notification.

Use undo arp ip-conflict log prompt to restore the default.

Syntax

arp ip-conflict log prompt

undo arp ip-conflict log prompt

Default

IP conflict notification is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

By default, the device performs the following operations if it is using the sender IP address of a received ARP packet:

· Sends a gratuitous ARP request.

· Displays an error message after the device receives an ARP reply about the conflict.

You can use this command to enable the device to display error messages before sending a gratuitous ARP reply or request for conflict confirmation.

Examples

# Enable IP conflict notification on the device.

<Sysname> system-view

[Sysname] arp ip-conflict log prompt

arp local-proxy gratuitous-arp forward enable

Use arp local-proxy gratuitous-arp forward enable to enable gratuitous ARP packet forwarding for a VSI.

Use undo arp local-proxy gratuitous-arp forward enable to disable gratuitous ARP packet forwarding for a VSI.

Syntax

arp local-proxy gratuitous-arp forward enable

undo arp local-proxy gratuitous-arp forward enable

Default

The gratuitous ARP packet forwarding is enabled for a VSI.

Views

VSI view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

When an access user in an authentication domain initiates an authentication request, the device looks for an available authentication server. If all authentication servers in that authentication domain are detected unavailable, the device changes to the critical state (also known as the fail-permit state). In this state, the device assigns the access user to the critical domain (also known as the fail-permit domain) so that the user can come online in the critical domain without being authenticated. If the local proxy ARP feature is enabled by using the local-proxy-arp enable command, the device discards the gratuitous ARP packets received from the VSI of the critical domain instead of forwarding them. To avoid such an issue, you can enable this feature on the device.

Operating mechanism

With gratuitous ARP packet forwarding enabled, the device forwards the gratuitous ARP packets received from the VSI of the critical domain.

Recommended configuration

Enable this feature only for the VSIs associated with critical domains.

Restrictions and guidelines

If you disable this feature for a VSI, the device directly discards the gratuitous ARP packets received from that VSI.

Examples

# Disable gratuitous ARP packets forwarding for VSI vpn1.

<Sysname> system-view

[Sysname] vsi vpn1

[Sysname-vsi-vpn1] undo arp local-proxy gratuitous-arp forward enable

arp send-gratuitous-arp

Use arp send-gratuitous-arp to enable periodic sending of gratuitous ARP packets on an interface.

Use undo arp send-gratuitous-arp to disable the interface from periodically sending gratuitous ARP packets.

Syntax

arp send-gratuitous-arp [ interval interval ]

undo arp send-gratuitous-arp

Default

Periodic sending of gratuitous ARP packets is disabled.

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VXLAN VSI interface view

VLAN interface view

Predefined user roles

network-admin

Parameters

interval interval: Specifies the sending interval in the range of 200 to 200000 milliseconds. The default value is 2000 milliseconds.

Usage guidelines

This feature takes effect on an interface only when the interface has an IP address and the data link layer state of the interface is up.

This feature can send gratuitous ARP requests only for a VRRP virtual IP address, or the sending interface's primary IP address or manually configured secondary IP address. The primary IP address can be configured manually or automatically, whereas the secondary IP address must be configured manually.

If you change the sending interval for gratuitous ARP packets, the configuration takes effect at the next sending interval.

The sending interval for gratuitous ARP packets might be much longer than the set interval when any of the following conditions exist:

· This feature is enabled on multiple interfaces.

· Each interface is configured with multiple secondary IP addresses.

· A small sending interval is configured in the preceding cases.

Examples

# Enable VLAN-interface 2 to send gratuitous ARP packets every 300 milliseconds.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] arp send-gratuitous-arp interval 300

gratuitous-arp mac-change retransmit

Use gratuitous-arp mac-change retransmit to set the times and the interval for retransmitting a gratuitous ARP packet for the device MAC address change.

Use undo gratuitous-arp mac-change retransmit to restore the default.

Syntax

gratuitous-arp mac-change retransmit times interval seconds

undo gratuitous-arp mac-change retransmit

Default

The device sends a gratuitous packet for its MAC address change once only.

Views

System view

Predefined user roles

network-admin

Parameters

times: Specifies the times of retransmitting a gratuitous packet, in the range of 1 to 10.

interval seconds: Specifies the interval for retransmitting a gratuitous packet, in the range of 1 to 10 seconds.

Usage guidelines

The device sends a gratuitous ARP packet to inform other devices of its MAC address change. However, the other devices might fail to receive the packet because the device sends the gratuitous ARP packet once only by default. Use this command to configure gratuitous ARP retransmission parameters to ensure that the other devices can receive the packet.

After you execute this command, the device will retransmit a gratuitous ARP packet for its MAC address change at the specified interval for the specified times.

Examples

# Set the times to 3 and the interval to 5 for retransmitting a gratuitous ARP packet for the device MAC address change.

<Sysname> system-view

[Sysname] gratuitous-arp mac-change retransmit 3 interval 5

gratuitous-arp-learning enable

Use gratuitous-arp-learning enable to enable learning of gratuitous ARP packets.

Use undo gratuitous-arp-learning enable to disable learning of gratuitous ARP packets.

Syntax

gratuitous-arp-learning enable

undo gratuitous-arp-learning enable

Default

Learning of gratuitous ARP packets is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The learning of gratuitous ARP packets feature allows a device to maintain its ARP table by creating or updating ARP entries based on received gratuitous ARP packets.

When this feature is disabled, the device uses received gratuitous ARP packets to update existing ARP entries only. ARP entries are not created based on the received gratuitous ARP packets, which saves ARP table space.

Examples

# Enable learning of gratuitous ARP packets.

<Sysname> system-view

[Sysname] gratuitous-arp-learning enable

gratuitous-arp-sending enable

Use gratuitous-arp-sending enable to enable sending gratuitous ARP packets upon receiving ARP requests whose sender IP address is on a different subnet.

Use undo gratuitous-arp-sending enable to disable sending gratuitous ARP packets upon receiving ARP requests whose sender IP address is on a different subnet.

Syntax

gratuitous-arp-sending enable

undo gratuitous-arp-sending enable

Default

A device does not send gratuitous ARP packets when it receives ARP requests whose sender IP address is on a different subnet.

Views

System view

Predefined user roles

network-admin

Examples

# Disable a device from sending gratuitous ARP packets upon receiving ARP requests whose sender IP address is on a different subnet.

<Sysname> system-view

[Sysname] undo gratuitous-arp-sending enable

Proxy ARP commands

display local-proxy-arp

Use display local-proxy-arp to display the local proxy ARP status.

Syntax

display local-proxy-arp [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays the local proxy ARP status for all interfaces.

Usage guidelines

You can use this command to check whether local proxy ARP is enabled or disabled.

Examples

# Display the local proxy ARP status for VLAN-interface 2.

<Sysname> display local-proxy-arp interface vlan-interface 2

Interface Vlan-interface2

Local Proxy ARP status: enabled

Related commands

local-proxy-arp enable

display proxy-arp

Use display proxy-arp to display the proxy ARP status.

Syntax

display proxy-arp [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays the proxy ARP status for all interfaces.

Usage guidelines

You can use this command to check whether proxy ARP is enabled or disabled.

Examples

# Display the proxy ARP status on VLAN-interface 2.

<Sysname> display proxy-arp interface vlan-interface 2

Interface Vlan-interface2

Proxy ARP status: disabled

Related commands

proxy-arp enable

display proxy-arp statistics

Use display proxy-arp statistics to display statistics about proxy ARP reply packets.

Syntax

display proxy-arp statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

This command displays the proxy ARP reply statistics within the most recent minute on a per-second basis and displays the statistics one minute ago on a five-minute basis. The device can display the proxy ARP reply statistics in the most recent hour.

Examples

# Display proxy ARP reply statistics.

<Sysname> display proxy-arp statistics

Last 1 sec proxy count: 200

Last 2 sec proxy count: 400

...

Last 1 min proxy count: 12000

Last 5 min proxy count: 18000

Last 10 min proxy count: 24000

...

Last 60 min proxy count: 182445

Table 5 Command output

Field	Description
Last n sec proxy count:	Number of proxy ARP reply packets within the most recent nth second.
Last n min proxy count:	Number of proxy ARP reply packets within the most recent nth minute.

local-proxy-arp enable

Use local-proxy-arp enable to enable local proxy ARP.

Use undo local-proxy-arp enable to disable local proxy ARP.

Syntax

local-proxy-arp enable [ ip-range start-ip-address to end-ip-address ]

undo local-proxy-arp enable

Default

Local proxy ARP is disabled.

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VXLAN VSI interface view

VLAN interface view

Predefined user roles

network-admin

Parameters

ip-range start-ip-address to end-ip-address: Specifies the IP address range for which local proxy ARP is enabled. The start IP address must be lower than or equal to the end IP address.

Usage guidelines

Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network. With proxy ARP, hosts in different broadcast domains can communicate with each other as they do on the same network.

Proxy ARP includes common proxy ARP and local proxy ARP.

Common proxy ARP allows communication between hosts that connect to different Layer 3 interfaces and reside in different broadcast domains.

Local proxy ARP allows communication between hosts that connect to the same Layer 3 interface and reside in different broadcast domains.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable local proxy ARP on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] local-proxy-arp enable

# Enable local proxy ARP on VLAN-interface 2 for an IP address range.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] local-proxy-arp enable ip-range 1.1.1.1 to 1.1.1.20

Related commands

display local-proxy-arp

proxy-arp enable

Use proxy-arp enable to enable proxy ARP.

Use undo proxy-arp enable to disable proxy ARP.

Syntax

proxy-arp enable

undo proxy-arp enable

Default

Proxy ARP is disabled.

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VXLAN VSI interface view

VLAN interface view

Predefined user roles

network-admin

Usage guidelines

Proxy ARP includes common proxy ARP and local proxy ARP.

Common proxy ARP allows communication between hosts that connect to different Layer 3 interfaces and reside in different broadcast domains.

Local proxy ARP allows communication between hosts that connect to the same Layer 3 interface and reside in different broadcast domains.

Examples

# Enable proxy ARP on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] proxy-arp enable

Related commands

display proxy-arp

ARP snooping commands

arp snooping enable

Use arp snooping enable to enable ARP snooping.

Use undo arp snooping enable to disable ARP snooping.

Syntax

arp snooping enable

undo arp snooping enable

Default

ARP snooping is disabled.

Views

VLAN view

VSI view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

On a Layer 2 switching network, if the device receives a large number of ARP requests and broadcasts them, the network will have a large number of ARP requests. This causes network congestion and affects normal service operation. To resolve the issue, enable ARP snooping.

Operating mechanism

ARP Snooping listens to ARP packets and then establishes ARP snooping entries based on them. The ARP snooping entries are used for ARP fast reply and MAC-Forced Forwarding (MFF). For more information about MFF, see Security Configuration Guide.

Restrictions and guidelines

If you associate a VLAN with a VXLAN, ARP snooping does not take effect when you enable both ARP snooping and ARP flood suppression in the VLAN. For more information about configuring ARP flood suppression in a VLAN, see VLAN configuration in Layer 2—LAN Switching Configuration Guide.

Examples

# Enable ARP snooping for VLAN 2.

<Sysname> system-view

[Sysname] vlan 2

[Sysname-vlan2] arp snooping enable

# Enable ARP snooping for VSI vsi1.

<Sysname> system-view

[Sysname] vsi vsi1

[Sysname-vsi-vsi1] arp snooping enable

arp snooping uplink

Use arp snooping uplink to configure an interface as an uplink interface to disable it from learning ARP snooping entries.

Use undo arp snooping uplink to restore the default.

Syntax

arp snooping uplink

undo arp snooping uplink

Default

An interface is not an uplink interface for ARP snooping. After you enable ARP snooping, the interface learns ARP snooping entries.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

After you enable ARP snooping on an access device by using the arp snooping enable command, the access device will generate ARP snooping entries by listening to ARP packets. On a network where the aggregate device acts as the gateway, if you enable local proxy ARP on the gateway by using the local-proxy-arp enable command, the uplink interface of the access device will also learn ARP snooping entries. As a result, the input interface of an ARP snooping entry flaps between the uplink and downlink interfaces. To avoid such an issue, you can configure this feature on the access device.

After you configure this feature on an access device enabled with ARP snooping, the uplink interface no longer learns ARP snooping entries from incoming ARP packets.

Examples

# Configure Layer 2 Ethernet interface Ten-GigabitEthernet 1/0/1 as an uplink interface to disable it from learning ARP snooping entries.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] arp snooping uplink

# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as an uplink interface to disable it from learning ARP snooping entries.

<Sysname> system-view

[Sysname] interface bridge-aggregation 1

[Sysname-Bridge-Aggregation1] arp snooping uplink

Related commands

arp snooping enable

display arp snooping

Use display arp snooping to display ARP snooping entries.

Syntax

display arp snooping { interface [ interface-type interface-number ] | vlan [ vlan-id ] | vsi [ vsi-name ] } [ slot slot-number ] [ count ]

display arp snooping { interface | vlan } ip ip-address [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface: Displays ARP snooping entries for an interface.

interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays ARP snooping entries for both Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces.

vlan: Displays ARP snooping entries for a VLAN.

vlan-id: Specifies a VLAN ID in the range of 1 to 4094. If you do not specify a VLAN, this command displays ARP snooping entries for all VLANs.

vsi: Displays ARP snooping entries for a VSI.

vsi-name: Specifies a VSI name, a case-sensitive string of 1 to 31 characters. If you do not specify a VSI, this command displays ARP snooping entries for all VSIs.

count: Displays the number of the ARP snooping entries. If you do not specify this keyword, the command displays ARP snooping entries.

ip ip-address: Displays the ARP snooping entry for the specified IP address of an interface or in a VLAN.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ARP snooping entries for the master device.

Examples

# Display ARP snooping entries for VLAN 2.

<Sysname> display arp snooping vlan 2

IP address MAC address VLAN ID Interface Aging Status

3.3.3.3 0003-0003-0003 2 XGE1/0/1 20 Valid

3.3.3.4 0004-0004-0004 2 XGE1/0/2 5 Invalid

# Display ARP snooping entries for all VSIs.

<Sysname> display arp snooping vsi

IP address MAC address VSI name Link ID Aging(min)

1.1.1.2 000f-e201-0101 vsi1 0x70000 14

1.1.1.3 000f-e201-0202 vsi1 0x80000 18

1.1.1.4 000f-e201-0203 vsi2 0x90000 10

# Display the ARP snooping entry for IP address 1.1.1.1 in a VLAN.

<Sysname> display arp snooping vlan ip 1.1.1.1

IP address MAC address VLAN ID Interface Aging Status

1.1.1.1 001f-e201-0111 2 XGE1/0/1 15 Valid

# Display the number of ARP snooping entries in all VSIs.

<Sysname> display arp snooping vsi count

Total entries: 3

Table 6 Command output

Field	Description
IP address	IP address in an ARP snooping entry.
MAC address	MAC address in an ARP snooping entry.
VLAN ID	ID of the VLAN to which the ARP snooping entry belongs.
Interface	Input interface in an ARP snooping entry.
Aging	Aging time for an ARP snooping entry in minutes. If the card learns an ARP snooping entry from another card, the card cannot learn the aging time of the entry, and this field displays N/A.
Status	Status of an ARP snooping entry: Valid, Invalid, Collision.
VSI name	Name of the VSI to which the ARP snooping entry belongs.
Link ID	Link ID in an ARP snooping entry.
Total entries	Number of ARP snooping entries.

Related commands

reset arp snooping

Use reset arp snooping to delete ARP snooping entries.

Syntax

reset arp snooping { interface [ interface-type interface-number ] | vlan [ vlan-id ] | vsi [ vsi-name ] }

reset arp snooping { interface | vlan } ip ip-address

Views

User view

Predefined user roles

network-admin

Parameters

interface: Deletes ARP snooping entries for an interface.

interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command deletes ARP snooping entries for both Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces.

vlan: Deletes ARP snooping entries for a VLAN.

vlan-id: Specifies a VLAN ID in the range of 1 to 4094. If you do not specify a VLAN, this command deletes ARP snooping entries for all VLANs.

vsi: Deletes ARP snooping entries for a VSI.

vsi-name: Specifies a VSI name, a case-sensitive string of 1 to 31 characters. If you do not specify a VSI, this command deletes ARP snooping entries for all VSIs.

ip ip-address: Deletes the ARP snooping entry for the specified IP address of an interface or in a VLAN.

Examples

# Delete ARP snooping entries for VLAN 2.

<Sysname> reset arp snooping vlan 2

This command will delete all ARP snooping entries for the specified VLAN. Continue? [Y/N]: y

Related commands

display arp snooping

ARP direct route advertisement commands

arp route-direct advertise

Use arp route-direct advertise to enable ARP direct route advertisement.

Use undo arp route-direct advertise to disable ARP direct route advertisement.

Syntax

arp route-direct advertise [ preference preference-value | tag tag-value ] *

undo arp route-direct advertise

Default

ARP direct route advertisement is disabled.

Views

Interface view

Predefined user roles

network-admin

Parameters

preference preference-value: Specifies the preference for the ARP-advertised direct routes. The value range for the preference-value argument is 1 to 255, and the default is 0. The smaller the value, the higher the preference.

tag tag-value: Specifies the route tag for the ARP-advertised direct routes. The value range for the tag-value argument is 1 to 4294967295, and the default is 0.

Usage guidelines

Operating mechanism

If ARP direct route advertisement is configured, ARP advertises ARP entries to the route management module to generate direct routes with an optional preference or route tag.

If you execute this command multiple times, the most recent configuration takes effect.

Restrictions and guidelines

The arp route-direct advertise command is mutually exclusive with the arp route-direct advertise mad-down-single-homed command. If you execute both of them, the most recent command takes effect.

Examples

# Enable ARP direct route advertisement on VLAN-interface 10.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] arp route-direct advertise

Related commands

display arp route-direct advertise

arp route-direct advertise delay

Use arp route-direct advertise delay to set a delay for generating direct routes based on ARP entries.

Use undo arp route-direct advertise delay to restore the default.

Syntax

arp route-direct advertise delay delay-time

undo arp route-direct advertise delay

Default

The device generates a direct route immediately after an ARP entry is learned on an interface enabled with ARP direct route advertisement.

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VLAN interface view

VSI interface view

Predefined user roles

network-admin

Parameters

delay-time: Specifies the delay for ARP-based generation of direct routes. The value range is 0 to 3600 seconds.

Usage guidelines

Application scenarios

After you enable ARP direct route advertisement on an interface by using the arp route-direct advertise command, the device generates direct routes and adjacency table entries based on ARP entries learned on that interface. If the direct routes are generated before the adjacency table entries for them, temporary packet loss will occur due to lack of Layer 2 information for packet encapsulation. To avoid such an issue, use this command to set a route generation delay for ARP direct route advertisement on the interface.

Operating mechanism

After you enable ARP direct route advertisement and set a route generation delay for it on an interface, a delay timer starts when an ARP entry is learned on that interface.

If the configuration for ARP direct route advertisement is modified before the delay time expires, the device advertises the direct route based on the new settings when the timer expires.

If you change the delay setting after a delay timer starts for an ARP entry, the new setting takes effect. However, the timer does not reset.

· If the timer count is equal to or higher than the new delay setting, the device generates a direct route based on the ARP entry.

· If the timer count is lower than the new delay setting, the device generates a direct route based on the ARP entry when the amount of new delay time is reached.

Restrictions and guidelines

You can enable ARP direct route advertisement and set a delay for ARP-based generation of direct routes in any order. If you set the delay first and then enable ARP direct route advertisement, the device generates a direct route based on the ARP entry when the delay time is reached.

Examples

# Set a route generation delay for ARP direct route advertisement on VLAN-interface 10.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] arp route-direct advertise delay 200

Related commands

arp route-direct advertise

arp route-direct advertise mad-down-single-homed

Use arp route-direct advertise mad-down-single-homed to enable ARP direct route advertisement for single-homing interfaces in M-LAG MAD DOWN state.

Use undo arp route-direct advertise mad-down-single-homed to disable ARP direct route advertisement for single-homing interfaces in M-LAG MAD DOWN state.

Syntax

arp route-direct advertise mad-down-single-homed

undo arp route-direct advertise mad-down-single-homed

Default

ARP direct route advertisement is disabled for single-homing interfaces in M-LAG MAD DOWN state.

Views

VLAN interface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

If the peer link of an M-LAG system fails, M-LAG Multi-Active Detection (MAD) will shut down all interfaces on the secondary member device upon M-LAG system split, except for the interfaces excluded from the shutdown action by IRF MAD or M-LAG MAD. An interface in M-LAG MAD DOWN state cannot forward traffic. As a result, traffic cannot be forwarded for the devices single-homed to the secondary member device. To ensure traffic forwarding for single-homed devices, enable ARP direct route advertisement for single-homing interfaces in M-LAG MAD DOWN state.

Operating mechanism

ARP direct route advertisement for single-homing interfaces in M-LAG MAD DOWN state ensures traffic forwarding for single-homed devices. When the peer link fails, the ARP module on the secondary member device will send ARP entries to the routing management module, and the routing management module will generate direct routes based on the ARP entries. The direct routes are used to direct traffic forwarding or are advertised by routing protocols to the single-homed devices.

If you execute this command multiple times, the most recent configuration takes effect.

Restrictions and guidelines

The arp route-direct advertise mad-down-single-homed and arp route-direct advertise commands are mutually exclusive. If you execute both of them, the most recent command takes effect.

Examples

# On VLAN-interface 10, enable ARP direct route advertisement for single-homing interfaces in M-LAG MAD DOWN state.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] arp route-direct advertise mad-down-single-homed

display arp route-direct advertise

Use display arp route-direct advertise to display information about ARP direct route advertisement.

Syntax

display arp route-direct advertise interface interface-type interface-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. Make sure you specify the interface where ARP direct route advertisement is enabled.

Usage guidelines

When ARP direct route advertisement is enabled, the device generates direct routes based on ARP entries for packet forwarding and route advertisement. You can use this command to check whether the route management module has generated direct routes for ARP entries.

If the Route field displays Unknown, it indicates that the route management module is busy and the ARP module is not aware that whether a direct route is generated for the entry. As a best practice, execute this command later.

Examples

# Display ARP-advertised direct route information on VLAN-interface 10.

<Sysname> display arp route-direct advertise interface vlan-interface 10

IP address MAC address VLAN/VSI Interface Route

1.1.1.1 02e0-f102-0023 1 Vlan10 Yes

1.1.1.2 00e0-fc00-0001 12 Vlan10 No

Table 7 Command output

Field	Description
IP address	IP address in the ARP entry.
MAC address	MAC address in the ARP entry.
VLAN/VSI	ID of the VLAN or index of the VSI to which the ARP entry belongs. This field displays hyphens (--) in either of the following situations: · The ARP entry is an unresolved short static ARP entry. · The output interface of the ARP entry does not belong to the VLAN or VSI.
Interface	Output interface in the ARP entry.
Route	Whether a direct route is generated or not based on the ARP entry: · Unknown—Whether a direct route is generated based on the ARP entry is unknown. · Yes—A direct route is generated based on the ARP entry. · No—No direct route is generated based on the ARP entry.

Related commands

arp route-direct advertise

Commands for disabling sending ARP requests when data packets trigger ARP resolution

arp fib-miss drop

Use arp fib-miss drop to disable the device from sending ARP requests for ARP learning when data packets trigger ARP resolution.

Use undo arp fib-miss drop to restore the default.

Syntax

arp fib-miss drop

undo arp fib-miss drop

Default

The device sends ARP requests for ARP learning when data packets trigger ARP resolution.

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VSI interface view

VLAN interface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

By default, when the device receives a data packet not destined for it and cannot find a match for the next hop in the ARP table, it performs the following tasks:

1. Sends an ARP request to obtain the MAC address of the next hop.

2. Generates an ARP entry based on the obtained MAC address.

A large number of ARP requests consume too many network resources, affecting normal service operation. To resolve the issue, use this feature to disable the device from sending ARP requests for ARP learning when data packets trigger ARP resolution. This suppresses ARP flooding by reducing ARP packets on the network.

Operating mechanism

After you configure this feature on an interface of the device, the device does not send an ARP request for ARP learning in the following conditions:

· The interface receives a data packet not destined for the device and the next hop for the data packet does not match any ARP entry.

· The interface sends a data packet that triggers ARP resolution.

Recommended configuration

As a best practice, configure this feature only when the network is attacked by ARP flooding.

Restrictions and guidelines

If you configure this feature on an interface of the device enabled with ARP blackhole routing, the device generates a blackhole route when it receives a data packet that is not destined for it and triggers ARP resolution. Before the blackhole route is deleted, the device does not send an ARP request for ARP learning even if it sends a data packet that triggers ARP resolution. To enable ARP blackhole routing on the device, use the arp resolving-route enable command.

Examples

# On VLAN-interface 100, disable the device from sending ARP requests for ARP learning when data packets trigger ARP resolution.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] arp fib-miss drop

ARP ping commands

ping arp ip

Use ping arp ip to test whether an IPv4 address in a LAN is being used by sending ARP requests.

Syntax

ping arp ip host [ interface interface-type interface-number [ vlan vlan-id ] ] [ timeout timeout ] [ count count ]

Views

Any view

Predefined user roles

network-admin

Parameters

host: Specifies the IP address or host name of the destination. The host name is a case-insensitive string of 1 to 253 characters. It can contain letters, digits, hyphens (-), underscores (_), and dots (.).

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, the device uses the outgoing interface of the route to send ARP requests.

vlan vlan-id: Specifies a VLAN by its VLAN ID. The VLAN ID is in the range of 1 to 4094.

timeout timeout: Specifies the wait time for an ARP reply, in the range of 1 to 10 seconds. The default wait time is 3 seconds.

count count: Specifies the maximum number of ARP requests to be sent, in the range of 1 to 4294967295. The default maximum number is 5.

Usage guidelines

This command tests whether an IPv4 address in a LAN is being used by sending ARP requests. After the device sends an ARP request to an IPv4 address, if it receives an ARP reply within the wait time, it determines that the IP address is being used. If an ARP reply is not received within the wait time, the device sends another ARP request. After the device sends the maximum number of ARP requests but no ARP reply is received, the device stops sending ARP requests and regards the IPv4 address as an unused address.

Compared with the ping command, the ping arp ip command avoids a wrong result when the destination host is enabled with a firewall that blocks ICMP packets. In addition, it consumes fewer network resources because an ARP request is shorter than an ICMP packet.

To execute the ping arp ip command by specifying the destination host name, configure the DNS feature first. For more information about DNS, see "Configuring DNS."

If multiple devices exist on the LAN, executing this command will take some time. To stop an ongoing test, press Ctrl + C.

Examples

# Test whether IP address 1.1.1.3 is being used in the LAN by sending ARP requests. (The IP address has been used.)

<Sysname> ping arp ip 1.1.1.3

1.1.1.3 is used by 0003-0003-0003.

# Test whether IP address 1.1.1.3 is being used in the LAN by sending ARP requests. (The IP address is not used.)

<Sysname> ping arp ip 1.1.1.3

The IP address is not used by anyone.

ping arp mac

Use ping arp mac to test whether a MAC address exists in a specified network or to view its corresponding IPv4 address.

Syntax

ping arp mac mac-address { interface interface-type interface-number | ip ipv4-address [ vpn-instance vpn-instance-name ] } [ timeout timeout ] [ count count ]

Views

Any view

Predefined user roles

network-admin

Parameters

mac-address: Specifies the target MAC address in the format of H-H-H. When entering a MAC address, you can omit the leading zeros in each H section. For example, enter f-e2-1 for 000f-00e2-0001. The MAC address cannot be a multicast address, broadcast address, or virtual MAC address of the device.

interface interface-type interface-number: Specifies the outgoing interface for sending the ICMP echo requests by its type and number.

ip ipv4-address: Specifies the target IPv4 network address.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To specify a MAC address on the public network, do not specify this option.

timeout timeout: Specifies the wait time for an ICMP echo reply, in the range of 1 to 10 seconds. The default wait time is 3 seconds.

count count: Specifies the maximum number of ICMP echo requests to be sent, in the range of 1 to 4294967295. The default maximum number is 5.

Usage guidelines

Application scenarios

To obtain the corresponding IPv4 address of a MAC address, use this command to broadcast Layer 3 ICMP packets.

Operating mechanism

The device retransmits an ICMP echo request if it has failed to receive an ICMP echo reply within the wait time. The device stops sending ICMP echo requests and determines that the MAC address is not on the network after it has sent the maximum number of requests without receiving a reply.

Restrictions and guidelines

To receive an ICMP echo reply after you execute this command, make sure the peer interface can forward directed broadcast packets destined for the directly connected network. To enable an interface to forward directed broadcast packets destined for the directly connected network on an H3C device, execute the ip forward-broadcast command in the view of that interface.

If multiple devices exist in the network, executing this command will take some time. To stop an ongoing test, press Ctrl + C.

Examples

# Test whether MAC address 0003-0003-0003 exists in the network where Ten-GigabitEthernet1/0/1 resides.

<Sysname> ping arp mac 0003-0003-0003 interface ten-gigabitethernet 1/0/1

ARP-Ping MAC statistics:

1 packet(s) transmitted

1 packet(s) received

IP address MAC address

1.1.1.3 0003-0003-0003

# Test whether MAC address 0003-0003-0003 exists in network 1.1.1.0.

<Sysname> ping arp mac 0003-0003-0003 ip 1.1.1.0

ARP-Ping MAC statistics:

5 packet(s) transmitted

0 packet(s) received

MAC[0003-0003-0003] not in use

05-Layer 3—IP Services Command Reference

arp multiport

arp timer aging

Application scenarios

Restrictions and guidelines

display arp ip-address

display arp vpn-instance

reset arp

Application scenarios

Operating mechanism

Restrictions and guidelines

gratuitous-arp-learning enable

display local-proxy-arp

display proxy-arp

display proxy-arp statistics

ARP snooping commands

Application scenarios

Operating mechanism

Restrictions and guidelines

display arp snooping

reset arp snooping

ARP direct route advertisement commands

Operating mechanism

Restrictions and guidelines

arp route-direct advertise delay

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Recommended configuration

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us