Configuring Across-Layer-3 MAC Identification Using the CLI
This section describes how to use the command line interface (CLI) to configure Across-Layer-3 MAC identification.
Prerequisites
Before configuring the FW learning function, ensure that the Layer-3 network device connected to the FW supports SNMPv2c or SNMPv3, and the SNMP agent has been enabled and community name or user name has been configured on the network device.
Context
If multiple Layer-3 network devices are deployed between the FW and intranet PCs, you are advised to specify a network device closest to the intranet PCs as a target network device. The FW can serve multiple Layer-3 devices (SNMP agents).
This function can be configured using command lines in hot standby deployments.
Procedure
- Display the system view.
- Enable synchronization of Layer-3 network device ARP entries using SNMP in the system view.
- Configure the identification information of the target Layer-3 network device.
SNMP v2c
snmp-server target-host arp-sync address ip-address [ vpn-instance vpn-instance-name ] community community-name v2c
address and community must identify the same Layer-3 network device. If the target network device is configured in the specified VPN instance, vpn-instance, address, and community must identify the same Layer-3 network device.
SNMP v3
snmp-server target-host arp-sync address ip-address [ vpn-instance vpn-instance-name ] usm-user v3 user-name [ authentication-mode { md5 | sha } password [ privacy-mode { 3des | aes128 | aes192 | aes256 | des56 } password ] ]
address and user-name must identify the same Layer-3 network device. If the target network device is configured in the specified VPN instance, vpn-instance, address, and user-name must identify the same Layer-3 network device.
With across-Layer-3 MAC identification, the FW can specify multiple Layer-3 network devices as SNMP servers to obtain ARP entries using SNMP. The device supports 64 Layer-3 network devices as SNMP servers to synchronize ARP entries.
- Configure the SNMP request interval or request timeout period.
snmp-server arp-sync { interval interval | timeout time } *
You can specify timeout time based on the update interval of a PC IP address and the network delay.
Example
# Specify a Layer-3 network device and enable the firewall to learn MAC addresses of intranet PCs and set the IP address of the network device to 10.10.90.7 and community name to Public@123.
<sysname> system-view [sysname] snmp-server arp-syn enable [sysname] snmp-server target-host arp-sync address 10.10.90.7 community Public@123 v2c [sysname] snmp-server arp-sync interval 10 timeout 5
Follow-up Procedure
Run the display snmp-server arp-sync table [ vpn-instance vpn-instance-name ] command to view ARP entries obtained using SNMP.
<sysname> display snmp-server arp-sync table Synchronization status of the IP-MAC address mapping table: Done The start time of synchronizing IP-MAC mapping table: 2013/8/2 09:39:24 The end time of synchronizing IP-MAC mapping table: 2013/8/2 09:39:28 ----------------------------------------------------------------------------------------------- IP Address MAC Address Expire(M) VPN Instance ----------------------------------------------------------------------------------------------- 10.10.90.220 0022-****-b948 20 10.10.90.33 0000-****-0000 20 ----------------------------------------------------------------------------------------------- Total:2
The display information above includes obtained ARP entries. The synchronization status is Done, indicating that ARP entry synchronization between the device and target network device is complete.