For the messages corresponds to the directly-connected route, if the switch does
not learn the ARP that corresponds to the destination IP address, it is not able to
forward the message in hardware, and it needs to send the message to the CPU
to resolve the address(that is the ARP learning). Sending large number of this
message to the CPU will influence the other tasks of the switch. To prevent the IP
messages from attacking the CPU, a discarded entry is set to the hardware
during the address resolution, so that all sequential messages with that
destination IP address are not sent to the CPU. After the address resolution, the
entry is updated to the forwarding status, so that the switch could forward the
message with that destination IP address in hardware.
In general, during the ARP request ,if the switch CPU receives three destination
IP address messages corresponding to the ARP entry, it is considered to be
possible to attack the CPU and the switch sets the discarded entry to prevent the
unknown unicast message from attacking the CPU. User could set the num
parameter of this command to decide whether it attacks the CPU in specific
network environment or disable this function. Use the arp anti-ip-attack
command to set the parameter or disable this function. The no form of this
command restores it to default value 3.
The arp anti-ip-attack function needs to occupy the switch hardware routing
resources when attacked by the unknown unicast message. If there are enough
resources, the arp anti-ip-attack num could be smaller. If not, in order to
preferential ensure the use of the normal routing, the num could be larger or
disable this function.
To Next Page
Loading...
