ARP Configuration

ARP (Address Resolution Protocol) is used to obtain a physical address (MAC address) based on an IP address. Devices implement layer 3 forwarding by maintaining ARP entries. This device supports static ARP configuration, adjustment of ARP entry aging time, interface ARP proxy function, and processing strategies for ARP broadcast packets to meet communication requirements in different network environments.

In addition, the device supports the ARP-to-host function, which can convert eligible ARP/NDP entries into host routes, used for precise route forwarding or route synchronization in scenarios such as EVPN.

Explanation of Principle

Basic working process of ARP: When a device needs to communicate with another host in the same network segment, it will broadcast an ARP request packet. The target host responds with an ARP reply packet, and the device learns and establishes an ARP entry.

• ARP proxy: When a device receives an ARP request from an interface, but the requested target IP address does not belong to the network segment of the interface, if the device has a route to the target, the device can reply with its own MAC address, converting Layer 2 communication to Layer 3 forwarding. The device supports three proxy modes:
  • default: Normal proxy ARP, used in general Layer 2 isolation scenarios.
  • anycast_gw: Anycast gateway proxy, commonly used in VXLAN distributed gateway scenarios, where the gateway interface replies to terminal ARP requests.
  • evpn: EVPN proxy, where the local VTEP replies after synchronizing remote ARP information through EVPN.
• ARP broadcast processing: The device can be configured to process ARP broadcast packets. In copy mode, the packet is copied and sent to the CPU for processing while continuing to broadcast. In trap mode, the packet is only sent to the CPU for processing.
• ARP-to-host: After enabling this function, the device will filter ARP/NDP entries according to the configured policy. Entries that are allowed to be converted will be added as host routes (32-bit mask). The policy supports matching by VLAN or network segment, and distinguishes between ordinary policies and default policies. The matching order is: first match the ordinary policy (by network segment or VLAN), and if no match is found, the default policy is used. This function is often used in scenarios where neighbor information needs to be synchronized to the routing table, such as EVPN host route advertisement.

Configuration

Configure Static ARP

Static ARP is used to manually bind IP addresses to MAC addresses, preventing ARP spoofing or for scenarios where dynamic learning is not possible.

Operation	Command	Description
Enter the system configuration view	configure terminal
Configure static ARP	arp static * A.B.C.D HH:HH:HH:HH:HH:HH interface-type interface-name *	Specify the IP address, MAC address, interface type (ethernet/vlan/link-aggregation) and interface name
Delete static ARP	no arp static* A.B.C.D interface-type interface-name *	Delete the static ARP entry of the specified IP

Caution

NOTE: Static ARP entries have higher priority than dynamic entries and will not be aged out.

Configure ARP Expire Time

Dynamic ARP entries have an aging time. After the timeout, the device will resend ARP requests for updates.

Operation	Command	Description
Enter the system configuration view	configure terminal
Configure the expire time	arp timeout * expire-time *	expire-time: 60-7200 seconds, default value is 300 seconds

Caution

NOTE: Appropriately shortening the aging time can improve the response speed to network changes, but it will increase the number of ARP packets.

Configure Interface ARP Proxy

Enable ARP proxy on the interface to allow the device to answer ARP requests across network segments on behalf of others.

• In scenarios where Layer 2 broadcast isolation is enabled, to ensure normal communication between terminals in the local area network, a common method is to enable ARP any proxy on the interface configured as the gateway. This sends the MAC address of the gateway to the terminal initiating the ARP request, converting Layer 2 communication between terminals into Layer 3 routing forwarding.
• For VxLAN scenarios, enable the arp-proxy evpn mode. The local VTEP can synchronize remote ARP information through EVPN and use it to answer ARP requests from local terminals on their behalf.

Operation	Command	Description
Enter the interface view	interface * interface-type interface-name *	For example: interface vlan 400
Enable ARP proxy and set the mode	arp-proxy mode {default | anycast_gw | evpn}	The default is default mode
Disable ARP Proxy	no arp-proxy	Disable ARP proxy on the interface

Caution

NOTE: On devices with ARP proxy enabled, it is necessary to use the “arp-to-host convert enable” command to convert the learned ARP entries into host routes.

Configure ARP Broadcast Processing

Operation	Command	Description
Enter the system configuration view	configure terminal
Configure processing actions	arp broadcast {copy | trap}	copy: Copy one copy for the CPU to process and continue broadcasting；
trap: Only send it to the CPU for processing, not broadcast it.

Caution

NOTE: The copy mode is suitable for scenarios where the CPU needs to participate in learning but does not want to block broadcasting; the trap mode can reduce broadcast traffic but may cause the CPU to miss learning.

Configure the ARP-to-host Function

The ARP-to-host function allows converting eligible ARP/NDP entries into host routes, and supports setting policies by VLAN or network segment.

Operation	Command	Description
Enter the system configuration view	configure terminal
Enable globally ARP‑to‑host	arp-to-host convert enable vrfname	vrfname: VRF instance name, default is default
Globally disable ARP-to-host	no arp-to-host convert enable	-
Configure VLAN-based policies	arp-to-host policy vlan vlan ID {permit | deny}	Permit (allow conversion) or deny (forbid conversion) ARP/NDP entries within the specified VLAN
Configure segment-based policies	arp-to-host policy network A.B.C.D/M {default | vrf-name } {permit | deny}	Perform policy control on entries within the specified network segment, and specify the VRF at the same time.
Configure the default VLAN policy	arp-to-host policy default-policy vlan vlan ID {permit | deny}	Use this default policy when an entry does not match any regular VLAN policy.
Configure the default network segment policy	arp-to-host policy default-policy network A.B.C.D/M {default | vrf-name } {permit | deny}	Use this default policy when an entry does not match any ordinary network segment policy.
Deletion Strategy	no arp-to-host policy {vlan vlan ID | network A.B.C.D/M }	Delete the specified general policy
Delete the default policy	no arp-to-host policy default-policy {vlan vlan ID | network A.B.C.D/M }	Delete the specified default policy

Policy matching order:

• First, match the regular policies (arp-to-host policy network and arp-to-host policy vlan).
• If no regular policy is matched, match the default policies (arp-to-host policy default-policy network and arp-to-host policy default-policy vlan).
• If still no match is found, the entry will not be converted.

Caution

NOTE:

• Only ARP/NDP entries that are both globally enabled (arp-to-host convert enable) and allowed by the policy will be converted to host routes.
• The converted host routes will be added to the routing table of the corresponding VRF and can be used for route advertisement or precise forwarding. :::

Display and Maintenance

Operation	Command
Display ARP table	show arp
Display the number of ARP proxy replies within a specified number of seconds	show arp-proxy count* second*
Display the ARP proxy status of the interface	show interface arp-proxy status
Clear all ARP/NDP entries	clear neighbor all
Clear the ARP/NDP entries of the specified interface	clear neighbor interface* interface-type****** interface-name*
Clear static ARP/NDP entries	clear neighbor static
Clear dynamic ARP/NDP entries	clear neighbor dynamic

Configuration Example

Networking Requirements

1. An enterprise network deploys a VXLAN distributed gateway, with a certain switch acting as a VTEP. Requirements:

2. Enable the anycast_gw proxy ARP on the gateway interface Vlan100 to allow terminals in different subnets to communicate through the gateway.

3. Manually bind the server (IP 3.3.3.3, MAC 00:00:00:00:00:01) to Vlan100 to prevent ARP spoofing.

4. Adjust the ARP aging time to 600 seconds.

5. Enable the ARP-to-host function and convert all dynamic ARP entries in Vlan100 into host routes so that they can be advertised to other VTEPs through EVPN.

Configuration Seps

sonic# configure terminal
sonic(config)# arp static 3.3.3.3 00:00:00:00:00:01 vlan 100
sonic(config)# arp timeout 600
sonic(config)# interface vlan 100
sonic(config-vlan-100)# arp-proxy mode anycast_gw
sonic(config-vlan-100)# exit
sonic(config)# arp-to-host convert enable
sonic(config)# arp-to-host policy vlan 100 permit
sonic(config)# end