ARP/ND Configuration Guide

arp arp introduction introduction arp (address resolution protocol) is a protocol for obtaining mac addresses based on ip addresses main frame sends messages broadcasting an arp request containing the target ip address to all hosts on the local area network and receives return messages, which determines the physical address of the target; upon receipt of the return packets, the ip address and physical address are stored in the local arp cache and retained for a certain period of time, and the arp cache is queried directly on the next request to save resources basic concepts basic concepts dynamic arp dynamic arp dynamic arp table entries are automatically generated and maintained by the arp protocol through arp packets, and can be aged and updated, and can be overwritten by static arp table entries when the aging time is reached or the interface is down, the corresponding dynamic arp table entry will be deleted static arp static arp static arp table entries are configured and maintained manually and will not be aged out and overwritten by dynamic arp table entries configuring static arp table entries can increase the security of communication when the network resources of the group network are more abundant, you can choose to deploy static arp and fix the mapping relationship between ip addresses and mac addresses arp proxy arp proxy if the hosts belong to the same subnet but are not on the same physical network, and the gateway devices connected to the hosts have different gateway addresses, then for the hosts to communicate with each other, arp proxy must be enabled on the switch interfaces connected to the hosts when the switch has arp proxy enabled, it responds to arp requests for ip addresses within the same subnet using its own mac address arp configuration arp configuration arp default setting arp default setting the default setting of arp is shown in the table below table 1 arp default setting table 1 arp default setting parameters default value aging time of dynamic arp table entries 300 seconds arp proxy not enabled arp probe interval 6 seconds arp probe times 5 times configure static arp configure static arp configure the static arp table entry protects the arp table from being overwritten, but the configuration effort is high and it is not suitable for network environments where the host ip address may change, recommended for smaller networks table 2 configure static arp table 2 configure static arp purpose commands description enter global configuration view configure terminal configure a static arp entry arp static a b c d hh\ hh\ hh\ hh\ hh \ hh interface { ethernet | vlan | link aggregation } interface name \[ subinterface number ] configure global arp timeout configure global arp timeout table 3 configure global arp timeout table 3 configure global arp timeout purpose commands description enter global configuration view configure terminal configure arp timeout arp timeout aging time interval time , range \[1 65535], in units of seconds configure arp timeout for interface configure arp timeout for interface table 4 configure arp timeout for interface table 4 configure arp timeout for interface purpose commands description enter global configuration view configure terminal enter interface configuration view interface { ethernet interface name \[ subinterface number ] | link aggregation lag id \[ subinterface number ]| vlan vlan id } configure arp timeout arp timeout aging time interval time , range \[1 65535], in units of seconds configure arp probe parameters configure arp probe parameters table 5 configure global arp probe parameters table 5 configure global arp probe parameters purpose commands description enter global configuration view configure terminal configure the probe interval arp probe interval interval time interval time , range \[1 65535], in units of seconds configure the probe times arp probe times num num range \[1 65535], in units of seconds configure arp probe parameters for interface configure arp probe parameters for interface table 6 configure arp probe parameters for interface table 6 configure arp probe parameters for interface purpose commands description enter global configuration view configure terminal enter interface configuration view interface { ethernet interface name \[ subinterface number ] | link aggregation lag id \[ subinterface number ]| vlan vlan id } configure the probe interval arp probe interval interval time interval time , range \[1 65535], in units of seconds configure the probe times arp probe times num num range \[1 65535], in units of seconds configure arp to host route configure arp to host route enabling arp to host route translation converts arp table entries learned by the tor device into host routes that can be propagated to other devices via bgp users can configure arp to host route translation policies this series provides two levels of conversion policies level 1 port policy level 1 port policy the action of port policy is available as permit/deny/pass it is required to configure the default policy for all ports first, and then the special policy if the incoming port matches the configured interface, the special policy is used; if it does not match, the default policy is used if the policy is permit or deny, the conversion will be performed directly or not, without matching the next level network policy; if the policy is pass, the next level network policy will decide whether to convert or not level 2 network policy level 2 network policy the action of network policy is available as permit/deny it is required to configure the default policy for network first, and then the special policy if the neighbor ip matches the configured network, then the special policy is used; if not, then the default policy is used table 7 configure arp to host route table 7 configure arp to host route purpose commands description enter global configuration view configure terminal enter arp to host configuration view arp to host enable arp to host convert enable \[ vrf vrf name ] by default, the vrf parameter enables the default vrf configure the arp to host port route policy policy port { ethernet | link aggregation } interface name { permit | deny | pass } port policy applied to global configuration configure the arp to host default route policy or networtk route policy policy \[ vrf vrf name ] { port default { permit | deny | pass }| network default { permit | deny }| network a b c d/m { permit | deny }} vrfname vrf name, default is the default vrf a b c d/m is an ipv4 address with prefix length configure arp proxy configure arp proxy arp proxy has two modes default mode in this mode, when the switch receives an arp request from the same network segment, it replies with the gateway's mac address evpn mode this mode is used in evpn scenarios to facilitate layer 3 communication between hosts under different vteps when arp proxy is enabled on the gateway vlan, the switch replies to arp requests from the same network segment with the actual mac address of the host table 8 configure arp proxy table 8 configure arp proxy purpose commands description enter global configuration view configure terminal enter interface configuration view interface { ethernet interface name \[ subinterface number ] | link aggregation lag id \[ subinterface number ]| vlan vlan id } enable arp proxy arp proxy \[ mode default ] configure extend arp proxy configure extend arp proxy there are two extended features for arp proxy arp active detection feature this feature is enabled in layer 2 networks where silent terminals (terminals that do not actively send arp packets) are present when this feature is activated, if the switch receives an arp request and the target ip in the packet belongs to the same network segment, the switch will actively send an arp request to probe arp reply packet learning feature by default, the switch only learns the source ip from arp request packets when this feature is enabled, upon receiving an arp reply packet, the switch will add the source ip to the dynamic arp table table 9 configure extend arp proxy table 9 configure extend arp proxy purpose commands description enter global configuration view configure terminal enter interface configuration view interface { ethernet interface name \[ subinterface number ] | link aggregation lag id \[ subinterface number ]| vlan vlan id } enable silent terminal active detection arp proxy extend request enable learning of arp reply packets arp proxy extend reply disable arp flooding disable arp flooding disabling arp flooding is applicable in scenarios that demand high performance, low latency, or enhanced security for instance, in large scale virtualized environments, the frequent migration of virtual machines can result in a surge of arp requests across the network without proper control, arp flooding can trigger broadcast storms, thereby increasing network load and degrading performance moreover, in vxlan overlay networks, arp flooding can cause unnecessary traffic spread, impacting bandwidth efficiency by activating the arp proxy feature and disabling arp flooding, switches can directly handle arp requests, which significantly reduces broadcast traffic furthermore, disabling arp flooding helps in mitigating arp spoofing attacks, thus bolstering network security table 10 disable arp flooding table 10 disable arp flooding purpose commands description enter global configuration view configure terminal disable arp flooding arp broadcast disable this command takes effect globally display and maintenance display and maintenance table 11 arp display and maintenance table 11 arp display and maintenance purpose commands description display arp entries show arp display arp to host summary configuration show arp to host summary summary show arp to host basic informationpolicy show arp to host rule information display arp to host detailed configuration show arp to host policy clear all dynamic arp entries clear neighbor all clear the dynamic arp entries of the interface clear neighbor interface { ethernet | link aggregation | vlan } { interface name \[ subinterface number ]} typical configuration example typical configuration example configure arp proxy configure arp proxy networking requirements two users on the same subnet are isolated into two different physical networks by different physical routers now, it is necessary for these users in the same subnet, but in different physical networks, to communicate with each other topology procedure in this example, to simplify the networking, layer 3 reachability between hosts is achieved by deploying a directly connected link (ethernet 0/0) and static routes on device a and b \#configure an interconnect link and a static route between device a and b sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# ip address 11 0 0 1/24 sonic(config if 0/0)# exit sonic(config)# ip route 10 10 0 3/32 11 0 0 2 \#configure a vlan and ip sonic(config)# vlan 10 sonic(config vlan 10)# exit sonic(config)# interface vlan 10 sonic(config vlanif 10)# ip address 10 10 0 1/24 sonic(config)# interface ethernet 0/4 sonic(config if 0/4)# switchport access vlan 10 \#enable arp proxy sonic(config vlanif 10)# interface vlan 10 sonic(config vlanif 10)# arp proxy mode default device b \#configure an interconnect link and a static route between device a and b sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# ip address 11 0 0 2/24 sonic(config if 0/0)# exit sonic(config)# ip route 10 10 0 2/32 11 0 0 1 \#configure a vlan and ip sonic(config)# vlan 10 sonic(config vlan 10)# exit sonic(config)# interface vlan 10 sonic(config vlanif 10)# ip address 10 10 0 1/24 sonic(config)# interface ethernet 0/4 sonic(config if 0/4)# switchport access vlan 10 \#enable arp proxy sonic(config vlanif 10)# interface vlan 10 sonic(config vlanif 10)# arp proxy mode default hosts \#configure vm1's ip address as 10 10 0 2/24 and vm2's ip as 10 10 0 3/24 verification let vm1 send ns messages to vm2 and check the arp neighbor table on vm1 it is shown that the vm2 mac is the mac of vlan 10 vm1 and vm2 can ping each other nd nd introduction introduction the nd (neighbor discovery) protocol is a key protocol for ipv6, which combines protocols such as arp, icmp route discovery, and icmp redirection from ipv4 and improves them as a foundational protocol for ipv6, the nd protocol also provides prefix discovery, neighbor unreachability detection, duplicate address detection, and stateless address autoconfiguration(slaac) basic concepts basic concepts dynamic nd dynamic nd dynamic nd table entries are automatically generated and maintained by the nd protocol through nd packets, and can be aged and updated, and can be overwritten by static nd table entries when the aging time is reached or the interface is down, the corresponding dynamic nd table entry will be deleted static nd static nd static nd table entries are configured and maintained manually and will not be aged out and overwritten by dynamic nd table entries configuring static nd table entries can increase the security of communication when the network resources of the group network are more abundant, you can choose to deploy static nd and fix the mapping relationship between ip addresses and mac addresses nd proxy nd proxy if hosts belong to the same network segment but on different physical networks, or hosts belong to the same network segment in the same physical network but cannot communicate with each other at layer 2, you can enable nd proxy on the connected interface of the switch to achieve intercommunication between hosts when the switch enables the nd proxy, it will use its own mac as the source mac and the destination host's ipv6 address as the source ip to reply to the source host with the na message, replacing the destination host to reply to the same network segment ns request slaac slaac slaac is a stateless auto address configuration mechanism in ipv6 that uses rs (router solicitation) messages and ra (router advertisement) messages to complete the stateless auto configuration process between ipv6 routers and ipv6 hosts the host discovers the ipv6 router on the link through rs messages, and the ipv6 router advertises the ipv6 address prefix information to the host through ra messages, and the host automatically configures the ipv6 global unicast address after receiving the ipv6 prefix information radv (router advertisement message) is a message broadcast by the ipv6 router to the switches in the local network, which is the core component of the slaac mechanism users can manually configure whether the interface sends ra messages and the time interval for sending ra messages, as well as configure the relevant parameters in the ra messages to be advertised to other devices nd configuration nd configuration nd default setting nd default setting the default setting of nd is shown in the table below table 12 nd default setting table 12 nd default setting parameters default value aging time of dynamic nd table entries 300 seconds nd proxy not enabled nd probe interval 6 seconds nd probe times 5 times ra notification disable mtu of the link for ra notification 9216 ra managed flag off ra other config flag off ra on link flag on ra autonomous flag on maximum time interval for ra notifications 600s minimum time interval for ra notifications 200s configure static nd configure static nd configure the static nd table entry protects the nd table from being overwritten, but the configuration effort is high and it is not suitable for network environments where the host ip address may change, recommended for smaller networks table 13 configure static nd table 13 configure static nd purpose commands description enter global configuration view configure terminal configure a static nd entry ndp static x\ x x \ x /m hh\ hh\ hh\ hh\ hh hh interface { ethernet interface name \[ subinterface number ]| link aggregation lag id \[ subinterface number ]| vlan vlan id } configure nd to host route configure nd to host route enabling nd to host route translation converts nd table entries learned by the tor device into host routes that can be propagated to other devices via bgp users can configure nd to host route translation policies this series provides two levels of conversion policies level 1 port policy level 1 port policy the action of port policy is available as permit/deny/pass it is required to configure the default policy for all ports first, and then the special policy if the incoming port matches the configured interface, the special policy is used; if it does not match, the default policy is used if the policy is permit or deny, the conversion will be performed directly or not, without matching the next level network policy; if the policy is pass, the next level network policy will decide whether to convert or not level 2 network policy level 2 network policy the action of network policy is available as permit/deny it is required to configure the default policy for network first, and then the special policy if the neighbor ip matches the configured network, then the special policy is used; if not, then the default policy is used table 14 configure nd to host route table 14 configure nd to host route purpose commands description enter global configuration view configure terminal enter nd to host configuration view arp to host enable nd to host convert enable \[ vrf vrf name ] applied to the default vrf when not specified set default port policy policy \[ vrf vrf name ] port default { permit | deny | pass } (optional) set policy for specific port policy \[ vrf vrf name ] port { ethernet | link aggregation } interface num { permit | deny | pass } (optional) set default network policy policy \[ vrf vrf name ] network default { permit | deny } (optional) set policy for specific network policy \[ vrf vrf name ] network x\ x x x/m { permit | deny } note there is no separate command set for nd to host functionality, which is shared with the arp to host series commands configure nd proxy configure nd proxy table 15 configure nd proxy table 15 configure nd proxy purpose commands description enter global configuration view configure terminal enter interface configuration view interface { ethernet interface name \[ subinterface number ]| link aggregation lag id \[ subinterface number ]| vlan vlan id } enable nd proxy nd proxy mode default configure ipv6 neighbor discovery configure ipv6 neighbor discovery table 16 configure ipv6 neighbor discovery table 16 configure ipv6 neighbor discovery purpose commands description enter global configuration view configure terminal enable ra notification radv enable enter interface configuration view interface { ethernet interface name \[ subinterface number ] | link aggregation lag id \[ subinterface number ]| vlan vlan id } configure prefix information for ra notification radv prefix x\ x x x/m (optional) configure dns information for ra notification radv dns server x\ x x x (optional) configure the mtu of the link for ra notification radv link mtu mtu ensure that all nodes on the same link use the same mtu value (optional) configure route information for ra notification radv route information x\ x x x/m \[ preference { low | high | medium }] (optional) set the managed flag to on radv managed flag this configuration is used to determine whether hosts uses stateful protocol for ipv6 address autoconfiguration, and the default is off (optional) set the other config flag to on radv other config flag this configuration is used to determine whether hosts uses stateful protocol for autoconfiguration of other (non address) information, and the default is off (optional) set the flag of on link to off radv offlink (optional) set the flag of autonomous to off radv no autonomous (optional) set the maximum and minimum time interval between two ra notifications radv ra interval maxrtradvinterval minrtradvinterval set the maximum time interval for ra notifications in seconds, the default value is 600 set the minimum time interval for ra notifications in seconds, the default value is 600 commit the configuration to take effect radv commit disable nd broadcast disable nd broadcast display and maintenance display and maintenance table 17 display and maintenance table 17 display and maintenance purpose commands description display ipv6 neighbors show ndp \[ interface { ethernet interface name \[ subinterface number ]| link aggregation lag id \[ subinterface number ]| vlan vlan id } \[ x\ x x x/m ] display nd to host configuration show arp to host summary display nd to host detailed configuration show arp to host policy show radv configuration show radv typical configuration example typical configuration example networking requirements two users on the same subnet are isolated into two different physical networks by different physical routers now, it is necessary for these users in the same subnet, but in different physical networks, to communicate with each other configure nd proxy configure nd proxy topology procedure in this example, to simplify the networking, layer 3 reachability between hosts is achieved by deploying a directly connected link (ethernet 0/0) and static routes on device a and b device a \#configure an interconnect link and a static route between device a and b sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# ip address 2000 1/64 sonic(config if 0/0)# exit sonic(config)# ipv6 route 2001 3/128 2000 2 \#configure a vlan and ip sonic(config)# vlan 10 sonic(config vlan 10)# exit sonic(config)# interface vlan 10 sonic(config vlanif 10)# ip address 2001 1/64 sonic(config)# interface ethernet 0/4 sonic(config if 0/4)# switchport access vlan 10 \#enable nd proxy sonic(config vlanif 10)# interface vlan 10 sonic(config vlanif 10)# nd proxy mode default device b \#configure an interconnect link and a static route between device a and b sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# ip address 2000 2/64 sonic(config if 0/0)# exit sonic(config)# ipv6 route 2001 2/128 2000 1 \#configure a vlan and ip sonic(config)# vlan 10 sonic(config vlan 10)# exit sonic(config)# interface vlan 10 sonic(config vlanif 10)# ip address 2001 1/64 sonic(config)# interface ethernet 0/4 sonic(config if 0/4)# switchport access vlan 10 \#enable nd proxy sonic(config vlanif 10)# interface vlan 10 sonic(config vlanif 10)# nd proxy mode default hosts \#configure vm1's ipv6 address as 2001 2/64 and vm2's ipv6 address as 2001 3/64 verification let vm1 send ns messages to vm2 and check the ipv6 neighbor table on vm1 it is shown that the vm2 mac is the mac of vlan 10 vm1 and vm2 can ping each other