Command Reference IP Address Commands
arp anti-ip-attack
For a message that hits a directly-connected route, if the switch does not learn the ARP entry that
corresponds to the destination IP address, the switch is not able to forward the message via hardware
and needs to send the message to the CPU to parse the address. This process is called ARP
learning. Sending a large number of such messages to the CPU, however, will influence the other
tasks of the switch. To prevent the IP messages from attacking the CPU, a discard entry is set to the
hardware during address resolution, so that all sequential messages with that destination IP address
are not sent to the CPU at all. After the address resolution, the entry is updated to the forwarding
status, so that the switch can forward the messages with that destination IP address via hardware.
In general, during the ARP request ,if the switch CPU receives three destination IP address
messages that hit the ARP entry, the switch considers that there is possibility to attack the CPU and
thus sets a discard entry to prevent unknown unicast messages from attacking the CPU. Users can
set the num parameter of this command to decide whether it attacks the CPU in the specific network
environment or disable this function. Use the arp anti-ip-attack num command to set the parameter
or disable this function. Use the no form of this command to restore the num parameter to the default
value 3.
arp anti-ip-attack num
no arp anti-ip-attack
Parameter
Description
Parameter Description
num
The number of IP messages to trigger the ARP to set a discard entry.
The value ranges from 0 to 100. 0 stands for disabling the ARP
anti-IP-attack function.
Defaults
The switch sets a discarded entry after three unknown unicast messages are sent to the CPU.
Command
Mode
Global configuration mode
Usage Guide
The ARP anti-IP-attack function will occupy the switch hardware routing resources when the switch is
attacked by unknown unicast messages. If there are enough resources, you can set the num
parameter in the arp anti-ip-attack to a smaller value. If not, in order to first ensure normal routing,
you can set the num parameter to a larger value or simply disable this function.
Configuration
Examples
The following example sets the number of IP messages that will trigger ARP to set a discard entry to.
Ruijie(config)# arp anti-ip-attack
5
The following example disables the ARP anti-IP-attack function.
Ruijie(config)# arp anti-ip-attack
0
Related
Command Description
To Next Page
Loading...
Need help?
General
