Configuring Strict ARP Entry Learning on Interfaces

By configuring strict ARP entry learning in the interface view, a device learns only address information carried in the ARP Reply packets corresponding to the ARP Request packets sent by the device. The device does not learn address information carried in the ARP Request packets sent from other devices. Strict ARP entry ensures the security of the device.

Context

Perform the following steps on the FW whose ARP entries are to be prevented from being attacked:

Procedure

Access the system view.
```
system-view
```
Access the interface view.
```
interface interface-type interface-number
```
FW supports strict ARP entry learning on the following interfaces:
- Ethernet interfaces and their sub-interfaces
- Eth-trunk interfaces and their sub-interfaces
- VLANIF interfaces
Enable strict ARP entry learning.
```
arp learning strict { force-enable | force-disable | trust }
```
- If the key word force-enable of the command is selected, the FW learns only reply packets for the ARP request packets sent itself.
- If the key word force-disable of the command is selected, the strict ARP entry learning function on the interface is disabled.
- If the key word trust of the command is selected, the strict ARP entry learning function on the interface is disabled and the global ARP entry learning function is enabled.
Strict ARP entry learning adopts the following longest-match rules:
- If strict ARP entry learning is configured both on the interface and globally, strict ARP entry learning on the interface is preferred.
- If strict ARP entry learning is not configured on the interface, the global strict ARP entry learning is enabled.