Configuring ARP snooping
ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information in ARP packets. Manual-mode MFF can use the ARP snooping entries. For more information about MFF, see Security Configuration Guide.
If you enable ARP snooping for a VLAN, ARP packets received in the VLAN are redirected to the CPU. The CPU uses the sender IP and MAC addresses of the ARP packets, and receiving VLAN and port to create ARP snooping entries.
The aging timer and valid period of an ARP snooping entry are 25 minutes and 15 minutes. If an ARP snooping entry is not updated in 12 minutes, the device sends an ARP request. The ARP request uses the IP address of the entry as the target IP address. If an ARP snooping entry is not updated in 15 minutes, it becomes invalid and cannot be used. After that, if an ARP packet matching the entry is received, the entry becomes valid, and its aging timer restarts. If the aging timer of an ARP snooping entry expires, the entry is removed.
An attack occurs if an ARP packet has the same sender IP address as a valid ARP snooping entry but a different sender MAC address. The ARP snooping entry becomes invalid, and it is removed in 1 minute.