334
Configuring ARP packet rate limit
Introduction
The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU on
a switch. For example, if an attacker sends a large number of ARP packets to an ARP detection enabled
device, the CPU of the device will be overloaded because all of the ARP packets are redirected to the
CPU for checking. As a result, the device fails to deliver other functions properly or even crashes. To solve
this problem, you can configure ARP packet rate limit.
Enable this feature after the ARP detection, ARP snooping, or MFF feature is configured, or use this
feature to prevent ARP flood attacks.
Configuring ARP packet rate limit
When the ARP packet rate exceeds the rate limit set on an interface, the device with ARP packet rate limit
enabled sends trap and log messages to inform the event. To avoid too many trap and log messages, you
can set the interval for sending such messages. Within each interval, the device will output the peak ARP
packet rate in the trap and log messages.
Note that trap and log messages are generated only after the trap function of ARP packet rate limit is
enabled. Trap and log messages will be sent to the information center of the device. You can set the
parameters of the information center to determine the output rules of trap and log messages. The output
rules specify whether the messages are allowed to be output and where they are bound for. For the
parameter configuration of the information center, see Network Management and Monitoring
Configuration Guide.
Follow these steps to configure ARP packet rate limit:
To do… Use the command… Remarks
Enter system view system-view —
Enable ARP packet rate limit
trap
snmp-agent trap enable arp
rate-limit
Optional
Enabled by default.
Set the interval for sending trap
and log messages when ARP
packet rate exceeds the
specified threshold rate
arp rate-limit information
interval seconds
Optional
60 seconds by default.
Enter Layer 2 Ethernet
interface/Layer 2 aggregate
interface view
interface interface-type
interface-number
—
Configure ARP packet rate limit
arp rate-limit { disable | rate
pps drop }
Required
By default, ARP packet rate limit is
disabled.
NOTE:
• If you enable ARP packet rate limit on a Layer 2 aggregate interface, trap and lo
messa
es are sent
when the ARP packet rate of a member port exceeds the preset threshold rate.
• For more information about the snmp-agent trap enable arp rate-limit command, see the snmp-a
ent
trap enable arp command in the Network Management and Monitoring Command Reference.
To Next Page
Loading...
