331
Task Remarks
prevention
Configuring ARP active acknowledgement
Optional
Configure this function on gateways
(recommended).
Configuring ARP detection
Optional
Configure this function on access
devices (recommended).
Configuring ARP automatic scanning and fixed
ARP
Optional
Configure this function on gateways
(recommended).
Configuring ARP gateway protection
Optional
Configure this function on access
devices (recommended).
Configuring ARP filtering
Optional
Configure this function on access
devices (recommended).
Configuring ARP defense against IP packet attacks
Introduction
If the device receives a large number of IP packets from a host addressed to unreachable destinations,
• The device sends a large number of ARP requests to the destination subnets, and thus the load of the
destination subnets increases.
• The device keeps trying to resolve destination IP addresses, which increases the load on the CPU.
To protect the device from IP packet attacks, you can enable the ARP source suppression function or ARP
black hole routing function.
If the packets have the same source address, you can enable the ARP source suppression function. With
the function enabled, you can set a threshold for the number of ARP requests that a sending host can
trigger in five seconds with packets with unresolvable destination IP addresses. When the number of ARP
requests exceeds that threshold, the device suppresses the host from triggering any ARP requests in the
following five seconds.
If the packets have various source addresses, you can enable the ARP black hole routing function. After
receiving an IP packet whose destination IP address cannot be resolved by ARP, the device with this
function enabled immediately creates a black hole route and simply drops all packets matching the route
during the aging time of the black hole route.
Configuring ARP source suppression
Follow these steps to configure ARP source suppression:
To do… Use the command…
Remarks
Enter system view system-view —
To Next Page
Loading...
Need help?
General