The arp learning strict command enables strict Address Resolution Protocol (ARP) learning to allow a device to learn only the ARP reply messages in response to the ARP requests sent by itself.
The undo arp learning strict command disables strict ARP learning to allow a device to receive all ARP reply messages and respond to ARP requests sent from other devices.
By default, strict ARP learning is disabled.
Usage Scenario
The attacker sends a large number of bogus ARP request and reply messages to a device on a network. As a result, the ARP buffer is overflowed and unable to cache normal ARP entries. Enabling strict ARP learning can resolve such a problem. Strict ARP learning allows a device to receive only ARP reply messages in response to the requests sent by itself, ensuring the device security.
Configuration Impact
When other devices send ARP request messages to a device enabled with strict ARP learning, the device responds to these devices with reply messages, but does not add MAC addresses of these devices immediately into its ARP entries (or refresh its ARP entries). Instead, the device sends ARP request messages to these devices, and adds MAC address of devices responding to the request to the ARP entries (or refresh the ARP entries).
Precautions
After the arp learning strict command is run, all interfaces on the device refresh or add ARP entries in ARP learning strict mode. If strict ARP learning is enabled globally when network devices change frequently (for example, during the environment establishment), ARP entries will be refreshed slowly, affecting the network efficiency. To implement refined management and improve the network efficiency, you can run the arp learning strict command on an interface as required to enable strict ARP learning on the interface.