enable ip-security arp gratuitous-protection

enable ip-security arp gratuitous-protection {vlan} [all | vlan_name]


Enables gratuitous ARP protection on one or all VLAN (Virtual LAN)s on the switch.

Syntax Description

all Specifies all VLANs configured on the switch.
vlan_name Specifies the VLAN.


By default, gratuitous ARP protection is disabled.

Usage Guidelines

Beginning with ExtremeXOS 11.6, this command replaces the enable iparp gratuitous protect command.

Hosts can launch man-in-the-middle attacks by sending out gratuitous ARP requests for the router's IP address. This results in hosts sending their router traffic to the attacker, and the attacker forwarding that data to the router. This allows passwords, keys, and other information to be intercepted.

To protect against this type of attack, the router will send out its own gratuitous ARP request to override the attacker whenever a gratuitous ARP broadcast with the router's IP address as the source is received on the network.

Beginning with ExtremeXOS 11.6, if you enable both DHCP (Dynamic Host Configuration Protocol) secured ARP and gratuitous ARP protection, the switch protects its own IP address and those of the hosts that appear as secure entries in the ARP table.

Displaying Gratuitous ARP Information

To display information about gratuitous ARP, use the following command:

show ip-security arp gratuitous-protection


The following command enables gratuitous ARP protection for VLAN corp:

enable ip-security arp gratuitous-protectection vlan corp


This command was first available in ExtremeXOS 11.6.

Platform Availability

This command is available on the Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X440-G2, X620, X690, X870 series switches.