Configuring Gratuitous ARP
You enable the gratuitous ARP feature on a per VLAN basis, not on a per
port basis. The validation is done for all gratuitous ARP packets received on a VLAN in
which this feature is enabled irrespective of the port in which the packet is received.
When
enabled, the switch generates gratuitous ARP packets when it receives
a gratuitous ARP request where either of the following is true:
-
The
sender IP is the same as the switch VLAN IP address and the sender
MAC address is not the switch MAC address.
-
The sender IP is the same as the IP of a static entry in
the ARP table and the sender MAC address is not the static entry's
MAC address.
When the switch generates an ARP
packet, the switch generates logs and traps.
-
Enable gratuitous ARP protection using the command:
enable
ip-security arp gratuitous-protection {vlan}
[all | vlan_name]
-
In addition, to protect the IP addresses of the hosts
that appear as secure entries in the ARP table, use the following
commands to enable DHCP snooping, DHCP secured ARP, and gratuitous ARP
on the switch:
enable
ip-security dhcp-snooping {vlan} vlan_name ports [all | ports] violation-action [drop-packet {[block-mac | block-port] [duration duration_in_seconds | permanently] | none]}] {snmp-trap}
enable
ip-security arp learning learn-from-dhcp {vlan} vlan_name ports [all | ports]
enable
ip-security arp gratuitous-protection {vlan}
[all | vlan_name]
-
Disable gratuitous ARP protection using the command:
disable
ip-security arp gratuitous-protection {vlan}
[all | vlan_name]
-
In ExtremeXOS 11.5 and earlier, you enable gratuitous ARP protection
using the following command:
enable iparp gratuitous protect vlan vlan-name
-
In ExtremeXOS11.5 and earlier, you disable gratuitous ARP
protection with the following command:
disable
iparp gratuitous protect vlan vlan-name