305
Task Remarks
User and
gateway
spoofing
prevention
Configuring ARP packet source MAC address
consistency che
ck
Optional
Configure this function on gateways
(recommended).
Configuring ARP active acknowledgement
Optional
Configure this function on gateways
(recommended).
Configuring ARP detection
Optional
Configure this function on access
devices (recommended).
Configuring ARP gateway protection
Optional
Configure this function on access
devices (recommended).
Configuring ARP filtering
Optional
Configure this function on access
devices (recommended).
Configuring ARP packet rate limit
Configuring ARP packet rate limit
This feature allows you to limit the rate of ARP packets to be delivered to the CPU. For example, if an
attacker sends a large number of ARP packets to an ARP detection enabled switch, the CPU of the switch
may become overloaded because all the ARP packets are redirected to the CPU for checking. As a result,
the switch fails to deliver other functions properly or even crashes. To prevent this, you need to configure
ARP packet rate limit.
Enable this feature after the ARP detection or ARP snooping is configured, or use this feature to prevent
ARP flood attacks.
Follow these steps to configure ARP packet rate limit:
To do… Use the command… Remarks
Enter system view system-view —
Enter Layer 2 Ethernet port
view/Layer 2 aggregate
interface view
interface interface-type interface-number —
Configure ARP packet rate limit arp rate-limit { disable | rate pps drop }
Required
Disabled by default.
To Next Page
Loading...
