Arp-Safeguard solution

1. Arp-safeguard Function

CP

CP-CAR
Rate-limited for
unsolicited
ARP reply
refreshment
Attack ARP reply
Normal ARP reply
ARP request

Forwarding
Plane

ARP reply
Rate-limited for
proxy ARP
ARP request/reply
After config the command arp-safeguard enable only normal ARP reply send to
CPU,if have attack ARP reply,have a CP-Car to limit(default).
When receive a normal ARP request, reply on port directly, no need send to CPU.
Currently, on NE40E can receive lots of ARP request (NE40 send the ARP request
but backtrack and broadcast) when received the ARP request and the
destination is not NE40E,so the packet will be discard.

2014-11-24

1 , 2

2. Deploy Arp-safeguard
interface GigabitEthernet2/1/1.2758
arp-safeguard enable
Using the arp-safeguard enable command, you can enable ARP bidirectional
isolation.
Using the undo arp-safeguard enable command, you can disable ARP
bidirectional isolation.
By default, ARP bidirectional isolation is disabled.
Ethernet interface view, Ethernet sub-interface view, Eth-Trunk interface view,
Eth-Trunk sub-interface view, or VLANIF interface view

2014-11-24

2 , 2