Configuring arp defense against ip packet attacks, Introduction, Configuring arp source suppression – H3C Technologies H3C S7500E Series Switches User Manual
Page 253: Configuring arp, Source suppression
14-2
Task
Remarks
Configuring ARP Packet Rate Limit
Optional
Configure this function on gateways (recommended).
Optional
Configure this function on gateways and access devices
(recommended).
Configuring ARP Defense Against IP Packet Attacks
Introduction
If a device receives large numbers of IP packets from a host to unreachable destinations,
z
The device sends large numbers of ARP requests to the destination subnets, which increases the
load of the destination subnets.
z
The device keeps trying to resolve destination IP addresses, which increases the load of the
CPU.
To protect the device from IP packet attacks, you can enable the ARP source suppression function or
ARP black hole routing function.
If the packets have the same source address, you can enable the ARP source suppression function.
With the function enabled, whenever the number of ARP requests triggered by the packets with
unresolvable destination IP addresses from a host within five seconds exceeds a specified threshold,
the device suppresses the sending host from triggering any ARP requests within the following five
seconds.
If the packets have various source addresses, you can enable the ARP black hole routing function.
After receiving an IP packet whose destination IP address cannot be resolved by ARP, the device with
this function enabled immediately creates a black hole route and simply drops all packets matching
the route during the aging time of the black hole route.
Configuring ARP Source Suppression
Follow these steps to configure ARP source suppression:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable ARP source suppression
arp source-suppression
enable
Required
Disabled by default.
Set the maximum number of packets with the
same source IP address but unresolvable
destination IP addresses that the device can
receive in five consecutive seconds
arp source-suppression limit
limit-value
Optional
10 by default.