Enables DHCP secured ARP learning for the specified VLAN and member ports.
vlan_name | Specifies the name of the VLAN to which this rule applies. |
all | Specifies all ingress ports. |
ports | Specifies one or more ingress ports. |
By default, DHCP secured ARP learning is disabled.
Use this command to configure the switch to add the MAC address and its corresponding IP address to the ARP table as a secure ARP entry. The switch does not update secure ARP entries, regardless of the ARP requests and replies seen by the switch. DHCP secured ARP is linked to the “DHCP snooping” feature. The same DHCP bindings database created when you enabled DHCP snooping is also used by DHCP secured ARP to create secure ARP entries. The switch only removes secure ARP entries when the corresponding DHCP entry is removed from the trusted DHCP bindings database.
Note
If you enable DHCP secured ARP on the switch, ARP learning continues, which allows insecure entries to be added to the ARP table.
The default ARP timeout (configure iparp timeout) and ARP refresh (enable iparp refresh) settings do not apply to DHCP secured ARP entries. The switch removes DHCP secured ARP entries upon any DHCP release packet received from the DHCP client.
To display how the switch builds an ARP table and learns MAC addresses for devices on a specific VLAN and associated member ports, use the following command:
show ip-security arp learning {vlan} vlan_nameTo view the ARP table, including permanent and DHCP secured ARP entries, use the following command:
show iparp {ip_address |mac | vlanvlan_name | permanent} {vrvr_name}The following command enables DHCP secured ARP learning on port 1:1 of the VLAN learn and uses the default polling and retry intervals:
enable ip-security arp learning learn-from-dhcp vlan learn ports 1:1
This command was first available in ExtremeXOS 11.6.
This command is available on BlackDiamond X8 series switches, BlackDiamond 8000 series modules, and Summit Family switches.