Configuration considerations, Configuration procedure, Configuring arp packet rate limit – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 343: Introduction
329
Configuration considerations
If the attack packets have the same source address, you can enable the ARP source suppression function
as follows:
1.
Enable ARP source suppression.
2.
Set the threshold to 100. If the number of unresolvable IP packets received from a host within five
seconds exceeds 100, the device stops resolving packets from the host until the five seconds
elapse.
If the attack packets have different source addresses, enable the ARP black hole routing function on the
device.
Configuration procedure
# Enable ARP source suppression on the device and set the threshold for ARP packets from the same
source address to 100.
[AC] arp source-suppression enable
[AC] arp source-suppression limit 100
# Enable ARP black hole routing.
[Device] arp resolving-route enable
Configuring ARP packet rate limit
Introduction
This feature allows you to limit the rate of ARP packets to be delivered to the CPU. For example, if an
attacker sends a large number of ARP packets to an ARP detection enabled device, the CPU of the device
will be overloaded because all the ARP packets are redirected to the CPU for checking. As a result, the
device fails to deliver other functions properly or even crashes. To solve this problem, you can configure
ARP packet rate limit.
Enable this feature after the ARP detection, ARP snooping, or MFF feature is configured, or use this
feature to prevent ARP flood attacks.
Configuring ARP packet rate limit (in interface view)
When the ARP packet rate exceeds the rate limit set on an interface, the device with ARP packet rate limit
enabled sends trap and log messages to inform the event. To avoid too many trap and log messages, you
can set the interval for sending such messages. Within each interval, the device will output the peak ARP
packet rate in the trap and log messages.
Note that trap and log messages are generated only after the trap function of ARP packet rate limit is
enabled. Trap and log messages will be sent to the information center of the device. You can set the
parameters of the information center to determine the output rules of trap and log messages. The output
rules specify whether the messages are allowed to be output and where they are bound for. For the
parameter configuration of the information center, see Network Management and Monitoring
Configuration Guide.
To configure ARP packet rate limit:
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSWM1WCM10 Access Controller Module H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C WA3600 Series Access Points H3C WA2600 Series WLAN Access Points H3C S10500 Series Switches H3C S5800 Series Switches H3C S5820X Series Switches H3C S12500 Series Switches H3C S9500E Series Switches H3C MSR 5600 H3C MSR 50 H3C MSR 3600 H3C MSR 30 H3C MSR 2600 H3C MSR 20-2X[40] H3C MSR 20-1X H3C MSR 930 H3C MSR 900 H3C SR8800 H3C SR6600-X H3C SR6600 H3C SecPath F5020 H3C SecPath F5040 H3C VMSG VFW1000