R3166-R3206-HP High-End Firewalls Attack Protection Configuration Guide-6PW101

• Select the checkbox before dynamic ARP entries, and click Fix to convert the selected ARP entry to

a static ARP entry.

• Select the checkbox before static ARP entries, and click Del Fixed to delete the selected static ARP

entry. If you select a dynamic one and click Del Fixed, the entry will not be deleted.

Configuring fixed ARP in the CLI

Follow these steps to configure fixed ARP

To do… Use the command…

Remarks

Enter system view system-view —

Enable fixed ARP

arp fixup

Optional

NOTE:

• Fixed ARP changes dynamic ARP entries into static only when these entries are learnt on a Layer 3

Ethernet interface, Layer 3 Ethernet subinterface, or VLAN interface.

• The static ARP entries changed from dynamic ARP entries have the same attributes as the static ARP

entries manually configured. Use the arp fixup command to chan

e the recently created dynamic ARP

entries into static.

• The number of static ARP entries chan

ed from dynamic ARP entries is restricted by the number of static

ARP entries that the firewall supports. As a result, the firewall may fail to chan

e all dynamic ARP entries

into static.

• To delete a specific static ARP entry changed from a dynamic one, use the undo arp

ip-address

[

vpn-instance-name

] command. To delete all such static ARP entries, use the reset arp all or reset arp

static command.

ARP attack protection configuration example

Network requirements

• Host A and Host B connect to Firewall A through Layer-2 access switch Switch B.

• On interface GigabitEthernet 0/3 of Firewall A, configure periodic sending of gratuitous ARP

packets, ARP automatic scanning, and fixed ARP.