arp fixup
Function
The arp fixup command enables fixed Address Resolution Protocol (ARP) on a specific interface so that the interface can convert generated dynamic ARP entries to static ARP entries.
Views
Ethernet interface view, Eth-Trunk interface view, VLANIF interface view, Ethernet sub-interface view, or Eth-Trunk sub-interface view
Usage Guidelines
Usage Scenario
To prevent a network attacker from sending pseudo ARP packets to modify ARP entries on a device, run the arp fixup command on the specified interface to enable fixed ARP. Running this command converts dynamic ARP entries that are generated on the interface to static ARP entries.
Prerequisites
ARP automatic scanning has been enabled using the arp scan command.
ARP automatic scanning is generally used with fixed ARP. A device can use ARP automatic scanning to generate dynamic ARP entries about all its neighbor devices. Then the device can use fixed ARP to convert the dynamic ARP entries to static ARP entries. This process prevents a network from attacks.
Precautions
- By default, this function is disabled.
- The number of static ARP entries converted by fixed ARP must be below the upper limit of static ARP entries that a device can generate. If the device has a maximum of static ARP entries, subsequent dynamic ARP entries cannot be converted into static ones. The limit of static ARP entries may cause some dynamic ARP entries to be fixed. In this case, the device prompts you with an error message.
- Like configured static ARP entries, static ARP entries converted by fixed ARP can be deleted one by one using the undo arp static command or deleted altogether using the reset arp command.