Configuring arp snooping, Configuration procedure, Displaying and maintaining arp snooping – H3C Technologies H3C S5560 Series Switches User Manual

17

Configuring ARP snooping

ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information

in ARP packets. Manual-mode MFF (MAC–Forced Forwarding) can use the ARP snooping entries. For

more information about MFF, see Security Configuration Guide.
If you enable ARP snooping for a VLAN, ARP packets received by any interface in the VLAN are

redirected to the CPU. The CPU uses the sender IP and MAC addresses of the ARP packets, and receiving

VLAN and port to create ARP snooping entries.
The aging time and valid period of an ARP snooping entry are 25 minutes and 15 minutes. If an ARP

snooping entry is not updated in 15 minutes, it becomes invalid and cannot be used. After that, if an ARP
packet matching the entry is received, the entry becomes valid, and its aging timer restarts. If the aging

timer of an ARP entry expires, the entry is removed.
An ARP packet that has the same sender IP address as a valid ARP snooping entry, but with a different

sender MAC address, is considered an attack. The ARP snooping entry becomes invalid, and is removed
after 25 minutes.

Configuration procedure

To enable ARP snooping for a VLAN:

Step Command

Remarks

1.

Enter system view.

system-view N/A

2.

Enter VLAN view.

vlan vlan-id N/A

3.

Enable ARP snooping

arp snooping enable

By default, ARP snooping is disabled.

Displaying and maintaining ARP snooping

Execute display commands in any view and reset commands in user view.

Task Command

Display ARP snooping entries.

display arp snooping [ vlan vlan-id ] [ slot slot-number ] [ count ]
display arp snooping ip ip-address [ slot slot-number ]

Remove ARP snooping entries.

reset arp snooping [ ip ip-address | vlan vlan-id ]