R3166-R3206-HP High-End Firewalls Network Management Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

201

202

203

204

205

206

207

208

209

210

190

To do… Use the command…

Remarks

Set the aging time for dynamic ARP

entries

arp timer aging aging-time

Optional

20 minutes by default.

Enabling the ARP entry check

The ARP entry check function disables the device from learning multicast MAC addresses. With the ARP

entry check enabled, the device cannot learn any ARP entry with a multicast MAC address, and

configuring such a static ARP entry is not allowed; otherwise, the system displays error messages.

After the ARP entry check is disabled, the device can learn the ARP entry with a multicast MAC address,

and you can also configure such a static ARP entry on the device.

Follow these steps to enable the ARP entry check:

To do… Use the command…

Remarks

Enter system view system-view —

Enable the ARP entry check arp check enable

Optional

By default, the device is disabled from

learning multicast MAC addresses.

Enabling the support for ARP requests from a natural network

When learning MAC addresses, if the device finds that the source IP address of an ARP packet and the

IP address of the inbound interface are not on the same subnet, the device will further judge whether

these two IP addresses are on the same natural network or not.

Suppose that the IP address of VLAN-interface 10 is 10.10.10.5/24 and that this interface receives an

ARP packet from 10.11.11.1/8. Because these two IP addresses are not on the same subnet,

VLAN-interface 10 cannot process the packet. With this feature enabled, the device makes a judgment

on natural network basis. Because the IP address of VLAN-interface 10 is a Class A address and its

default mask length is 8, these two IP addresses are on the same natural network. In this way,

VLAN-interface 10 can learn the MAC address corresponding to the source IP address 10.11.11.1.

Follow these steps to enable the support for ARP requests from a natural network:

To do… Use the command…

Remarks

Enter system view system-view —

Enable the support for ARP

requests from a natural network

naturemask-arp enable

Required

Disabled by default.

ARP configuration example

1. Network requirements

As shown in Figure 104, h

osts are connected to Firewall, which is connected to Router through interface

GigabitEthernet 0/0 belonging to VLAN 10. The IP address of Router is 192.168.1.1/24. The MAC

address of Router is 00e0-fc01-0000.

To enhance communication security for Router and Firewall, static ARP entries are configured on Firewall.