Configuring Gratuitous ARP
You enable the gratuitous ARP feature on a per VLAN (Virtual LAN) basis, not on a per port basis. The validation is done for all gratuitous
ARP packets received on a VLAN in which this feature is enabled irrespective of the port in
which the packet is received.
When
enabled, the switch generates gratuitous ARP packets when it receives
a gratuitous ARP request where either of the following is true:
-
The
sender IP is the same as the switch VLAN IP address and the sender
MAC address is not the switch MAC address.
-
The sender IP is the same as the IP of a static entry in
the ARP table and the sender MAC address is not the static entry's
MAC address.
When the switch generates an ARP
packet, the switch generates logs and traps.
-
Enable gratuitous ARP protection using the command:
enable
ip-security arp gratuitous-protection {vlan}
[all | vlan_name]
-
In addition, to protect the IP addresses of the hosts that
appear as secure entries in the ARP table, use the following commands to enable
DHCP (Dynamic Host Configuration Protocol) snooping, DHCP secured ARP, and gratuitous ARP on the
switch:
enable
ip-security dhcp-snooping {vlan} vlan_name
ports [all | ports] violation-action [drop-packet {[block-mac | block-port] [duration
duration_in_seconds | permanently] | none]}] {snmp-trap}
enable
ip-security arp learning learn-from-dhcp {vlan} vlan_name
ports [all | ports]
enable
ip-security arp gratuitous-protection {vlan} [all | vlan_name]
-
Disable gratuitous ARP protection using the command:
disable
ip-security arp gratuitous-protection {vlan}
[all | vlan_name]
-
In ExtremeXOS 11.5 and earlier, you enable gratuitous ARP protection
using the following command:
enable iparp gratuitous protect vlan vlan-name
-
In ExtremeXOS11.5 and earlier, you disable gratuitous ARP
protection with the following command:
disable
iparp gratuitous protect vlan vlan-name