413
Configuration example
Network requirements
As shown in Figure 122, a LAN contains two areas: an R&D area in VLAN 10 and an office area in
VLAN 20. Each area connects to the gateway (Device) through an access switch.
A large number of ARP requests are detected in the office area and are considered as the
consequence of an unresolvable IP attack. To prevent the attack, configure ARP source suppression
or ARP blackhole routing.
Figure 122 Network diagram
Configuration procedure
• If the attack packets have the same source address, configure ARP source suppression:
# Enable ARP source suppression.
<Device> system-view
[Device] arp source-suppression enable
# Allow the device to receive a maximum of 100 unresolvable packets from a host in 5 seconds.
[Device] arp source-suppression limit 100
• If the attack packets have different source addresses, configure ARP blackhole routing:
# Enable ARP blackhole routing.
[Device] arp resolving-route enable
Configuring ARP packet rate limit
The ARP packet rate limit feature allows you to limit the rate of ARP packets delivered to the CPU.
An ARP attack detection-enabled device will send all received ARP packets to the CPU for
inspection. Processing excessive ARP packets will make the device malfunction or even crash. To
solve this problem, configure ARP packet rate limit.
IP network
Gateway
Device
R
&D Office
VLAN 10
VLAN 20
Host A Host B Host C
Host D
ARP attack protection
To Next Page
Loading...
Need help?
General