No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Optimized ARP Reply Function

Configuring the Optimized ARP Reply Function

Context

When a stack functions as an access gateway, the stack can receive a large number of ARP packets requesting for the stack's interface MAC address. If all these ARP Request packets are sent to the master switch, the CPU usage of the switch increases, and other services are affected.

To address the preceding problem, enable optimized ARP reply, which improves the switch's capability of defending against ARP flood attack. After this function is enabled, the stack performs the following operations:
  • When receiving an ARP Request packet of which the destination IP address is the local interface address, the switch where the interface is located directly returns an ARP Reply packet.
  • When a stack system receives an ARP Request packet of which the destination IP address is not the local interface address and intra-VLAN proxy ARP is enabled on the master switch, the switch where the interface is located checks whether the ARP Request packet meets the proxy condition. If so, the switch returns an ARP Reply packet. If not, the switch discards the packet.
NOTE:
The optimized ARP reply function can be configured on a stand-alone fixed switch, but does not take effect.
By default, the optimized ARP reply function is enabled. After a device receives an ARP Request packet, the device checks whether an ARP entry corresponding to the source IP address of the ARP Request packet exists.
  • If the corresponding ARP entry exists, the stack performs optimized ARP reply to this ARP Request packet.
  • If the corresponding ARP entry does not exist, the stack does not perform optimized ARP reply to this ARP Request packet.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run undo arp optimized-reply disable

    The optimized ARP reply function is enabled.

    By default, the optimized ARP reply function is enabled.

    • The optimized ARP reply function does not take effect for ARP Request packets with double VLAN tags.
    • The optimized ARP reply function takes effect for ARP Request packets sent by wireless users.
    • The optimized ARP reply function takes effect only for the ARP Request packets received by VLANIF interfaces. The optimized ARP reply function does not take effect for the ARP Request packets sent from the VLANIF interfaces of super VLANs and sub VLANs.
    • The optimized ARP reply function does not take effect globally or on VLANIF interfaces after you run any of the following commands:
      • ip address ip-address { mask | mask-length } sub: configures secondary IP addresses for VLANIF interfaces.
      • arp anti-attack gateway-duplicate enable: enables the ARP gateway anti-collision function.
      • arp ip-conflict-detect enable: enables IP address conflict detection.
      • arp anti-attack check user-bind enable: enables dynamic ARP inspection.
      • dhcp snooping arp security enable: enables egress ARP inspection.
      • arp over-vpls enable: enables ARP proxy on the device located on a VPLS network.
      • arp-proxy enable: configures the routed ARP proxy function.
    • After the optimized ARP reply function is enabled, the following functions become invalid:
      • ARP rate limiting based on source MAC addresses (configured using the arp speed-limit source-mac command)
      • ARP rate limiting based on source IP addresses (configured using the arp speed-limit source-ip command)
      • Global ARP rate limiting, ARP rate limiting in VLANs, as well as ARP rate limiting on interfaces (configured using the arp anti-attack rate-limit enable command)
Translation
Download
Updated: 2019-03-28

Document ID: EDOC1000178177

Views: 223178

Downloads: 720

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next