522
ARP attack protection commands
In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24,
MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064.
"MSR4000" collectively refers to MSR4060 and MSR4080.
Unresolvable IP attack protection commands
arp resolving-route enable
Use arp resolving-route enable to enable ARP blackhole routing.
Use undo arp resolving-route enable to disable ARP blackhole routing.
Syntax
arp resolving-route enable
undo arp resolving-route enable
Default
ARP blackhole routing is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Configure this feature on the gateways.
If a device receives a large number of unresolvable IP packets from a host, the following situations can
occur.
• The device sends a large number of ARP requests, overloading the target subnets.
• The device keeps trying to resolve destination IP addresses, overloading its CPU.
If the IP packets have different source addresses, you can enable the ARP blackhole routing function.
After receiving an unresolvable IP packet, the device creates a blackhole route destined for the target IP
address and drops all the matching packets until the blackhole route ages out.
Examples
# Enable ARP blackhole routing.
<Sysname> system-view
[Sysname] arp resolving-route enable
arp source-suppression enable
Use arp source-suppression enable to enable the ARP source suppression function.
To Next Page
Loading...
Need help?
General
