beautypg.com

Configuration considerations, Configuration procedure, Configuring arp packet rate limit – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 343: Introduction

background image

329

Configuration considerations

If the attack packets have the same source address, you can enable the ARP source suppression function

as follows:

1.

Enable ARP source suppression.

2.

Set the threshold to 100. If the number of unresolvable IP packets received from a host within five
seconds exceeds 100, the device stops resolving packets from the host until the five seconds

elapse.

If the attack packets have different source addresses, enable the ARP black hole routing function on the

device.

Configuration procedure

# Enable ARP source suppression on the device and set the threshold for ARP packets from the same

source address to 100.

system-view

[AC] arp source-suppression enable

[AC] arp source-suppression limit 100

# Enable ARP black hole routing.

system-view

[Device] arp resolving-route enable

Configuring ARP packet rate limit

Introduction

This feature allows you to limit the rate of ARP packets to be delivered to the CPU. For example, if an

attacker sends a large number of ARP packets to an ARP detection enabled device, the CPU of the device

will be overloaded because all the ARP packets are redirected to the CPU for checking. As a result, the
device fails to deliver other functions properly or even crashes. To solve this problem, you can configure

ARP packet rate limit.
Enable this feature after the ARP detection, ARP snooping, or MFF feature is configured, or use this

feature to prevent ARP flood attacks.

Configuring ARP packet rate limit (in interface view)

When the ARP packet rate exceeds the rate limit set on an interface, the device with ARP packet rate limit

enabled sends trap and log messages to inform the event. To avoid too many trap and log messages, you
can set the interval for sending such messages. Within each interval, the device will output the peak ARP

packet rate in the trap and log messages.
Note that trap and log messages are generated only after the trap function of ARP packet rate limit is

enabled. Trap and log messages will be sent to the information center of the device. You can set the
parameters of the information center to determine the output rules of trap and log messages. The output

rules specify whether the messages are allowed to be output and where they are bound for. For the

parameter configuration of the information center, see Network Management and Monitoring

Configuration Guide.
To configure ARP packet rate limit: