Configuration Guide
IP Service Configuration
ARP Configuration
14 min
introduction introduction arp (address resolution protocol) is used to obtain a physical address (mac address) based on an ip address devices implement layer 3 forwarding by maintaining arp entries this device supports static arp configuration, adjustment of arp entry aging time, interface arp proxy function, and processing strategies for arp broadcast packets to meet communication requirements in different network environments in addition, the device supports the arp to host function, which can convert eligible arp/ndp entries into host routes, used for precise route forwarding or route synchronization in scenarios such as evpn explanation of principle explanation of principle basic working process of arp when a device needs to communicate with another host in the same network segment, it will broadcast an arp request packet the target host responds with an arp reply packet, and the device learns and establishes an arp entry arp proxy when a device receives an arp request from an interface, but the requested target ip address does not belong to the network segment of the interface, if the device has a route to the target, the device can reply with its own mac address, converting layer 2 communication to layer 3 forwarding the device supports three proxy modes default normal proxy arp, used in general layer 2 isolation scenarios anycast gw anycast gateway proxy, commonly used in vxlan distributed gateway scenarios, where the gateway interface replies to terminal arp requests evpn evpn proxy, where the local vtep replies after synchronizing remote arp information through evpn arp broadcast processing the device can be configured to process arp broadcast packets in copy mode, the packet is copied and sent to the cpu for processing while continuing to broadcast in trap mode, the packet is only sent to the cpu for processing arp to host after enabling this function, the device will filter arp/ndp entries according to the configured policy entries that are allowed to be converted will be added as host routes (32 bit mask) the policy supports matching by vlan or network segment, and distinguishes between ordinary policies and default policies the matching order is first match the ordinary policy (by network segment or vlan), and if no match is found, the default policy is used this function is often used in scenarios where neighbor information needs to be synchronized to the routing table, such as evpn host route advertisement configuration configuration configure static arp configure static arp static arp is used to manually bind ip addresses to mac addresses, preventing arp spoofing or for scenarios where dynamic learning is not possible operation command description enter the system configuration view configure terminal configure static arp arp static a b c d hh\ hh\ hh\ hh\ hh\ hh interface type interface name specify the ip address, mac address, interface type (ethernet/vlan/link aggregation) and interface name delete static arp no arp static a b c d interface type interface name delete the static arp entry of the specified ip note static arp entries have higher priority than dynamic entries and will not be aged out configure arp expire time configure arp expire time dynamic arp entries have an aging time after the timeout, the device will resend arp requests for updates operation command description enter the system configuration view configure terminal configure the expire time arp timeout expire time expire time 60 7200 seconds, default value is 300 seconds note appropriately shortening the aging time can improve the response speed to network changes, but it will increase the number of arp packets configure interface arp proxy configure interface arp proxy enable arp proxy on the interface to allow the device to answer arp requests across network segments on behalf of others in scenarios where layer 2 broadcast isolation is enabled, to ensure normal communication between terminals in the local area network, a common method is to enable arp any proxy on the interface configured as the gateway this sends the mac address of the gateway to the terminal initiating the arp request, converting layer 2 communication between terminals into layer 3 routing forwarding for vxlan scenarios, enable the arp proxy evpn mode the local vtep can synchronize remote arp information through evpn and use it to answer arp requests from local terminals on their behalf operation command description enter the interface view interface interface type interface name for example interface vlan 400 enable arp proxy and set the mode arp proxy mode { default | anycast gw | evpn } the default is default mode disable arp proxy no arp proxy disable arp proxy on the interface note on devices with arp proxy enabled, it is necessary to use the "arp to host convert enable" command to convert the learned arp entries into host routes configure arp broadcast processing configure arp broadcast processing operation command description enter the system configuration view configure terminal configure processing actions arp broadcast { copy | trap } copy copy one copy for the cpu to process and continue broadcasting; trap only send it to the cpu for processing, not broadcast it note the copy mode is suitable for scenarios where the cpu needs to participate in learning but does not want to block broadcasting; the trap mode can reduce broadcast traffic but may cause the cpu to miss learning configure the arp to host function configure the arp to host function the arp to host function allows converting eligible arp/ndp entries into host routes, and supports setting policies by vlan or network segment operation command description enter the system configuration view configure terminal enable globally arp‑to‑host arp to host convert enable vrfname vrfname vrf instance name, default is default globally disable arp to host no arp to host convert enable configure vlan based policies arp to host policy vlan vlan id { permit | deny } permit (allow conversion) or deny (forbid conversion) arp/ndp entries within the specified vlan configure segment based policies arp to host policy network a b c d/m { default | vrf name } { permit | deny } perform policy control on entries within the specified network segment, and specify the vrf at the same time configure the default vlan policy arp to host policy default policy vlan vlan id { permit | deny } use this default policy when an entry does not match any regular vlan policy configure the default network segment policy arp to host policy default policy network a b c d/m { default | vrf name } { permit | deny } use this default policy when an entry does not match any ordinary network segment policy deletion strategy no arp to host policy { vlan vlan id | network a b c d/m } delete the specified general policy delete the default policy no arp to host policy default policy { vlan vlan id | network a b c d/m } delete the specified default policy policy matching order first, match the regular policies (arp to host policy network and arp to host policy vlan) if no regular policy is matched, match the default policies (arp to host policy default policy network and arp to host policy default policy vlan) if still no match is found, the entry will not be converted note only arp/ndp entries that are both globally enabled (arp to host convert enable) and allowed by the policy will be converted to host routes the converted host routes will be added to the routing table of the corresponding vrf and can be used for route advertisement or precise forwarding display and maintenance display and maintenance operation command display arp table show arp display the number of arp proxy replies within a specified number of seconds show arp proxy count second display the arp proxy status of the interface show interface arp proxy status clear all arp/ndp entries clear neighbor all clear the arp/ndp entries of the specified interface clear neighbor interface interface type interface name clear static arp/ndp entries clear neighbor static clear dynamic arp/ndp entries clear neighbor dynamic configuration example configuration example networking requirements 1 an enterprise network deploys a vxlan distributed gateway, with a certain switch acting as a vtep requirements 2 enable the anycast gw proxy arp on the gateway interface vlan100 to allow terminals in different subnets to communicate through the gateway 3 manually bind the server (ip 3 3 3 3, mac 00 00 00 00 00 01) to vlan100 to prevent arp spoofing 4 adjust the arp aging time to 600 seconds 5 enable the arp to host function and convert all dynamic arp entries in vlan100 into host routes so that they can be advertised to other vteps through evpn configuration seps sonic# configure terminal sonic(config)# arp static 3 3 3 3 00 00 00 00 00 01 vlan 100 sonic(config)# arp timeout 600 sonic(config)# interface vlan 100 sonic(config vlan 100)# arp proxy mode anycast gw sonic(config vlan 100)# exit sonic(config)# arp to host convert enable sonic(config)# arp to host policy vlan 100 permit sonic(config)# end
