The arp learning strict force-enable command enables strict Address Resolution Protocol (ARP) learning in the interface view. After that, the device receives only the reply message in response to ARP request sent by itself.
The arp learning strict force-disable command disables strict ARP learning in the interface view.
The arp learning strict trust command disables strict ARP learning configured in the interface and enable strict ARP learning configured globally.
The undo arp learning strict command disables strict ARP learning configured in the interface and enable strict ARP learning configured globally.
By default, strict ARP learning is disabled.
| Parameter | Description | Value |
|---|---|---|
| force-enable | Enable strict ARP learning on an interface. | - |
| force-disable | Disable strict ARP learning on an interface. | - |
| trust | Remove the strict ARP learning policy configured on an interface and adopt the global strict ARP learning policy. | - |
Ethernet interface view, Ethernet sub-interface view, Eth-Trunk interface view, Eth-Trunk sub-interface view, or VLANIF interface view
Usage Scenario
The attacker sends a large number of bogus ARP request and reply messages to a device on a network. As a result, the ARP buffer is overflowed and unable to cache normal ARP entries. Enabling strict ARP learning can resolve such a problem. Strict ARP learning allows a device to receive only ARP reply messages in response to the requests sent by itself, ensuring the device security.
Configuration Impact
When other devices send ARP request messages to a device enabled with strict ARP learning, the device responds to these devices with reply messages, but does not add MAC addresses of these devices immediately into its ARP entries (or refresh its ARP entries). Instead, the device sends ARP request messages to these devices, and adds MAC address of devices responding to the requests to the ARP entries (or refresh the ARP entries).
Precautions
Ethernet interfaces and Ethernet sub-interfaces
Eth-Trunk interfaces and Eth-Trunk sub-interfaces
VLANIF interfaces
Sub-interface for Dot1q VLAN tag termination
Enabling strict ARP learning on an inter-board VLANIF interface is not recommended.
After the arp learning strict force-enable command is run, the specified interface refreshes or adds ARP entries in strict ARP learning mode. If interfaces on a device have a large number of ARP entries, to simplify configurations, run the arp learning strict command or the arp learning strict trust command to enable strict ARP learning globally.
The matching of strict ARP learning is based on the most accuracy principle.
If strict ARP learning is configured globally and in the interface view, strict ARP learning configured in the interface view is adopted.
If strict ARP learning is not configured in the interface view, strict ARP learning configured globally is adopted.