R3303-HP HSR6800 Routers Layer 3 - IP Services Configuration Guide
14
Configuring ARP snooping
NOTE:
The ARP snooping feature is supported only when SAP modules operate in bridge mode.
Overview
ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information
in ARP packets.
If ARP snooping is enabled on a VLAN, ARP packets received by the interfaces of the VLAN are
redirected to the CPU. The CPU uses the sender IP and MAC addresses of the ARP packets, and receiving
VLAN and port to create ARP snooping entries.
The aging time and valid period of an ARP snooping entry are 25 minutes and 15 minutes, respectively.
If an ARP snooping entry is not updated within 15 minutes, it becomes invalid and cannot be used. After
that, if an ARP packet matching the entry is received, the entry becomes valid, and its aging timer restarts.
If the aging timer of an ARP entry expires, the entry is removed.
If the ARP snooping device receives an ARP packet that has the same sender IP address as but a different
sender MAC address from a valid ARP snooping entry, it considers an attack occurs. The ARP snooping
entry becomes invalid and is removed after 25 minutes.
Configuration procedure
To enable ARP snooping for a VLAN:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VLAN view.
vlan vlan-id N/A
3. Enable ARP snooping.
arp-snooping enable Disabled by default.
Displaying and maintaining ARP snooping
Task Command
Remarks
Display ARP snooping entries.
display arp-snooping [ ip ip-address | vlan
vlan-id ] [ | { begin | exclude | include }
regular-expression ]
Available in any view.
Remove ARP snooping entries.
reset arp-snooping [ ip ip-address | vlan
vlan-id ]
Available in user view.