ARP/ND Configuration Guide

arp arp introduction introduction arp (address resolution protocol) is a protocol for obtaining mac addresses based on ip addresses main frame sends messages broadcasting an arp request containing the target ip address to all hosts on the local area network and receives return messages, which determines the physical address of the target; upon receipt of the return packets, the ip address and physical address are stored in the local arp cache and retained for a certain period of time, and the arp cache is queried directly on the next request to save resources basic concepts basic concepts dynamic arp dynamic arp dynamic arp table entries are automatically generated and maintained by the arp protocol through arp packets, and can be aged and updated, and can be overwritten by static arp table entries when the aging time is reached or the interface is down, the corresponding dynamic arp table entry will be deleted static arp static arp static arp table entries are configured and maintained manually and will not be aged out and overwritten by dynamic arp table entries configuring static arp table entries can increase the security of communication when the network resources of the group network are more abundant, you can choose to deploy static arp and fix the mapping relationship between ip addresses and mac addresses arp proxy arp proxy if the hosts belong to the same subnet but are not on the same physical network, and the gateway devices connected to the hosts have different gateway addresses, then for the hosts to communicate with each other, arp proxy must be enabled on the switch interfaces connected to the hosts when the switch has arp proxy enabled, it responds to arp requests for ip addresses within the same subnet using its own mac address arp configuration arp configuration arp default setting arp default setting the default setting of arp is shown in the table below table 1 arp default setting table 1 arp default setting true 332,274 left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type configure static arp configure static arp configure the static arp table entry protects the arp table from being overwritten, but the configuration effort is high and it is not suitable for network environments where the host ip address may change, recommended for smaller networks table 2 configure static arp table 2 configure static arp true 161,311 6476793248945,133 3523206751055 left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type configure global arp timeout configure global arp timeout table 3 configure global arp timeout table 3 configure global arp timeout true 255,173 59756097560975,177 40243902439025 left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type configure arp timeout for interface configure arp timeout for interface table 4 configure arp timeout for interface table 4 configure arp timeout for interface true 166,244 42908024303372,195 57091975696628 left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type configure arp probe parameters configure arp probe parameters table 5 configure global arp probe parameters table 5 configure global arp probe parameters true 252,163 3903743315508,190 6096256684492 left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type configure arp probe parameters for interface configure arp probe parameters for interface table 6 configure arp probe parameters for interface table 6 configure arp probe parameters for interface true 167,241 49782135076254,197 50217864923746 left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type configure arp to host route configure arp to host route enabling arp to host route translation converts arp table entries learned by the tor device into host routes that can be propagated to other devices via bgp users can configure arp to host route translation policies this series provides two levels of conversion policies level 1 port policy level 1 port policy the action of port policy is available as permit/deny/pass it is required to configure the default policy for all ports first, and then the special policy if the incoming port matches the configured interface, the special policy is used; if it does not match, the default policy is used if the policy is permit or deny, the conversion will be performed directly or not, without matching the next level network policy; if the policy is pass, the next level network policy will decide whether to convert or not level 2 network policy level 2 network policy the action of network policy is available as permit/deny it is required to configure the default policy for network first, and then the special policy if the neighbor ip matches the configured network, then the special policy is used; if not, then the default policy is used table 7 configure arp to host route table 7 configure arp to host route true 174,243,189 left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type configure arp proxy configure arp proxy arp proxy has two modes default mode in this mode, when the switch receives an arp request from the same network segment, it replies with the gateway's mac address evpn mode this mode is used in evpn scenarios to facilitate layer 3 communication between hosts under different vteps when arp proxy is enabled on the gateway vlan, the switch replies to arp requests from the same network segment with the actual mac address of the host table 8 configure arp proxy table 8 configure arp proxy true 250,221 88679245283012,134 11320754716988 left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type configure extend arp proxy configure extend arp proxy there are two extended features for arp proxy arp active detection feature this feature is enabled in layer 2 networks where silent terminals (terminals that do not actively send arp packets) are present when this feature is activated, if the switch receives an arp request and the target ip in the packet belongs to the same network segment, the switch will actively send an arp request to probe arp reply packet learning feature by default, the switch only learns the source ip from arp request packets when this feature is enabled, upon receiving an arp reply packet, the switch will add the source ip to the dynamic arp table table 9 configure extend arp proxy table 9 configure extend arp proxy true 194,276 8979591836735,135 1020408163265 left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type disable arp flooding disable arp flooding disabling arp flooding is applicable in scenarios that demand high performance, low latency, or enhanced security for instance, in large scale virtualized environments, the frequent migration of virtual machines can result in a surge of arp requests across the network without proper control, arp flooding can trigger broadcast storms, thereby increasing network load and degrading performance moreover, in vxlan overlay networks, arp flooding can cause unnecessary traffic spread, impacting bandwidth efficiency by activating the arp proxy feature and disabling arp flooding, switches can directly handle arp requests, which significantly reduces broadcast traffic furthermore, disabling arp flooding helps in mitigating arp spoofing attacks, thus bolstering network security table 10 disable arp flooding table 10 disable arp flooding true 255,175 5,175 5 left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type display and maintenance display and maintenance table 11 arp display and maintenance table 11 arp display and maintenance true 189,208 5,208 5 left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type typical configuration example typical configuration example configure arp proxy configure arp proxy networking requirements two users on the same subnet are isolated into two different physical networks by different physical routers now, it is necessary for these users in the same subnet, but in different physical networks, to communicate with each other topology procedure in this example, to simplify the networking, layer 3 reachability between hosts is achieved by deploying a directly connected link (ethernet 0/0) and static routes on device a and b \#configure an interconnect link and a static route between device a and b sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# ip address 11 0 0 1/24 sonic(config if 0/0)# exit sonic(config)# ip route 10 10 0 3/32 11 0 0 2 \#configure a vlan and ip sonic(config)# vlan 10 sonic(config vlan 10)# exit sonic(config)# interface vlan 10 sonic(config vlanif 10)# ip address 10 10 0 1/24 sonic(config)# interface ethernet 0/4 sonic(config if 0/4)# switchport access vlan 10 \#enable arp proxy sonic(config vlanif 10)# interface vlan 10 sonic(config vlanif 10)# arp proxy mode default device b \#configure an interconnect link and a static route between device a and b sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# ip address 11 0 0 2/24 sonic(config if 0/0)# exit sonic(config)# ip route 10 10 0 2/32 11 0 0 1 \#configure a vlan and ip sonic(config)# vlan 10 sonic(config vlan 10)# exit sonic(config)# interface vlan 10 sonic(config vlanif 10)# ip address 10 10 0 1/24 sonic(config)# interface ethernet 0/4 sonic(config if 0/4)# switchport access vlan 10 \#enable arp proxy sonic(config vlanif 10)# interface vlan 10 sonic(config vlanif 10)# arp proxy mode default hosts \#configure vm1's ip address as 10 10 0 2/24 and vm2's ip as 10 10 0 3/24 verification let vm1 send ns messages to vm2 and check the arp neighbor table on vm1 it is shown that the vm2 mac is the mac of vlan 10 vm1 and vm2 can ping each other nd nd introduction introduction the nd (neighbor discovery) protocol is a key protocol for ipv6, which combines protocols such as arp, icmp route discovery, and icmp redirection from ipv4 and improves them as a foundational protocol for ipv6, the nd protocol also provides prefix discovery, neighbor unreachability detection, duplicate address detection, and stateless address autoconfiguration(slaac) basic concepts basic concepts dynamic nd dynamic nd dynamic nd table entries are automatically generated and maintained by the nd protocol through nd packets, and can be aged and updated, and can be overwritten by static nd table entries when the aging time is reached or the interface is down, the corresponding dynamic nd table entry will be deleted static nd static nd static nd table entries are configured and maintained manually and will not be aged out and overwritten by dynamic nd table entries configuring static nd table entries can increase the security of communication when the network resources of the group network are more abundant, you can choose to deploy static nd and fix the mapping relationship between ip addresses and mac addresses nd proxy nd proxy if hosts belong to the same network segment but on different physical networks, or hosts belong to the same network segment in the same physical network but cannot communicate with each other at layer 2, you can enable nd proxy on the connected interface of the switch to achieve intercommunication between hosts when the switch enables the nd proxy, it will use its own mac as the source mac and the destination host's ipv6 address as the source ip to reply to the source host with the na message, replacing the destination host to reply to the same network segment ns request slaac slaac slaac is a stateless auto address configuration mechanism in ipv6 that uses rs (router solicitation) messages and ra (router advertisement) messages to complete the stateless auto configuration process between ipv6 routers and ipv6 hosts the host discovers the ipv6 router on the link through rs messages, and the ipv6 router advertises the ipv6 address prefix information to the host through ra messages, and the host automatically configures the ipv6 global unicast address after receiving the ipv6 prefix information radv (router advertisement message) is a message broadcast by the ipv6 router to the switches in the local network, which is the core component of the slaac mechanism users can manually configure whether the interface sends ra messages and the time interval for sending ra messages, as well as configure the relevant parameters in the ra messages to be advertised to other devices nd configuration nd configuration nd default setting nd default setting the default setting of nd is shown in the table below table 12 nd default setting table 12 nd default setting true 344,262 center #4283c7 unhandled content type center #4283c7 unhandled content type center unhandled content type center unhandled content type center #d8e5f5 unhandled content type center #d8e5f5 unhandled content type center unhandled content type center unhandled content type center #d8e5f5 unhandled content type center #d8e5f5 unhandled content type center unhandled content type center unhandled content type center #d8e5f5 unhandled content type center #d8e5f5 unhandled content type center unhandled content type center unhandled content type center #d8e5f5 unhandled content type center #d8e5f5 unhandled content type center unhandled content type center unhandled content type center #d8e5f5 unhandled content type center #d8e5f5 unhandled content type center unhandled content type center unhandled content type center #d8e5f5 unhandled content type center #d8e5f5 unhandled content type configure static nd configure static nd configure the static nd table entry protects the nd table from being overwritten, but the configuration effort is high and it is not suitable for network environments where the host ip address may change, recommended for smaller networks table 13 configure static nd table 13 configure static nd true 173,289 75408388760104,143 24591611239896 left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type configure nd to host route configure nd to host route enabling nd to host route translation converts nd table entries learned by the tor device into host routes that can be propagated to other devices via bgp users can configure nd to host route translation policies this series provides two levels of conversion policies level 1 port policy level 1 port policy the action of port policy is available as permit/deny/pass it is required to configure the default policy for all ports first, and then the special policy if the incoming port matches the configured interface, the special policy is used; if it does not match, the default policy is used if the policy is permit or deny, the conversion will be performed directly or not, without matching the next level network policy; if the policy is pass, the next level network policy will decide whether to convert or not level 2 network policy level 2 network policy the action of network policy is available as permit/deny it is required to configure the default policy for network first, and then the special policy if the neighbor ip matches the configured network, then the special policy is used; if not, then the default policy is used table 14 configure nd to host route table 14 configure nd to host route true 175,230 5,200 5 left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type note there is no separate command set for nd to host functionality, which is shared with the arp to host series commands configure nd proxy configure nd proxy table 15 configure nd proxy table 15 configure nd proxy true 188,282 21758241758243,135 78241758241757 left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type configure ipv6 neighbor discovery configure ipv6 neighbor discovery table 16 configure ipv6 neighbor discovery table 16 configure ipv6 neighbor discovery true 187,224 08236658932717,194 91763341067283 left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type disable nd broadcast disable nd broadcast display and maintenance display and maintenance table 17 display and maintenance table 17 display and maintenance true 202,271,133 left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type typical configuration example typical configuration example networking requirements two users on the same subnet are isolated into two different physical networks by different physical routers now, it is necessary for these users in the same subnet, but in different physical networks, to communicate with each other configure nd proxy configure nd proxy topology procedure in this example, to simplify the networking, layer 3 reachability between hosts is achieved by deploying a directly connected link (ethernet 0/0) and static routes on device a and b device a \#configure an interconnect link and a static route between device a and b sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# ip address 2000 1/64 sonic(config if 0/0)# exit sonic(config)# ipv6 route 2001 3/128 2000 2 \#configure a vlan and ip sonic(config)# vlan 10 sonic(config vlan 10)# exit sonic(config)# interface vlan 10 sonic(config vlanif 10)# ip address 2001 1/64 sonic(config)# interface ethernet 0/4 sonic(config if 0/4)# switchport access vlan 10 \#enable nd proxy sonic(config vlanif 10)# interface vlan 10 sonic(config vlanif 10)# nd proxy mode default device b \#configure an interconnect link and a static route between device a and b sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# ip address 2000 2/64 sonic(config if 0/0)# exit sonic(config)# ipv6 route 2001 2/128 2000 1 \#configure a vlan and ip sonic(config)# vlan 10 sonic(config vlan 10)# exit sonic(config)# interface vlan 10 sonic(config vlanif 10)# ip address 2001 1/64 sonic(config)# interface ethernet 0/4 sonic(config if 0/4)# switchport access vlan 10 \#enable nd proxy sonic(config vlanif 10)# interface vlan 10 sonic(config vlanif 10)# nd proxy mode default hosts \#configure vm1's ipv6 address as 2001 2/64 and vm2's ipv6 address as 2001 3/64 verification let vm1 send ns messages to vm2 and check the ipv6 neighbor table on vm1 it is shown that the vm2 mac is the mac of vlan 10 vm1 and vm2 can ping each other