Configuring arp packet rate limit, Introduction, Configuring the arp packet rate limit function – H3C Technologies H3C S7500E Series Switches User Manual

14-5

Configuring ARP Packet Rate Limit

Introduction

This feature allows you to limit the rate of ARP packets to be delivered to the CPU. For example, if an

attacker sends a large number of ARP packets to an ARP detection enabled device, the CPU of the

device may become overloaded because all the ARP packets are redirected to the CPU for checking.

As a result, the device fails to deliver other functions properly or even crashes. To prevent this, you

need to configure ARP packet rate limit.

It is recommended that you enable this feature after the ARP detection is configured, or use this

feature to prevent ARP flood attacks.

Configuring the ARP Packet Rate Limit Function

Follow these steps to configure ARP packet rate limit in Ethernet interface view:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter Ethernet interface

view

interface interface-type

interface-number

—

Configure ARP packet rate

limit

arp rate-limit { disable | rate pps

drop }

Required

By default, the ARP packet rate limit is

enabled and is 100 pps.

Configuring ARP Detection

Introduction

The ARP detection feature is mainly configured on an access device to allow only the ARP packets of

authorized clients to be forwarded, hence preventing user spoofing and gateway spoofing.

ARP detection includes ARP detection based on specified objects, and ARP detection based on static

IP source guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses.

If both the ARP detection based on specified objects and the ARP detection based on static IP Source

Guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses are

enabled, the former one applies first, and then the latter applies.