When ARP reply agent is enabled, the 7450 ESS or 7750 SR responds to ARP requests from the network, with information from the DHCP lease state table.
In the upstream direction (toward the network), the ARP reply agent intercepts ARP requests on subscriber SAPs, and checks them against the DHCP lease state table. The purpose is to prevent a malicious subscriber spoofing ARP request or ARP reply messages and therefore populating the upstream router's ARP table with incorrect entries.
The following example displays a partial BSA configuration with ARP Reply Agent enabled on a SAP:
A:ALA-48>config>service# info
----------------------------------------------
...
vpls 800 customer 6001 create
description "VPLS with ARP Reply Agent active"
sap 2/1/4:100 split-horizon-group "DSL-group2" create
arp-reply-agent sub-ident
exit
sap 3/1/4:200 split-horizon-group "DSL-group2" create
arp-reply-agent sub-ident
exit
no shutdown
...
----------------------------------------------
A:ALA-48>config>service#