No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Rate Limiting on ARP Miss Messages based on Source IP Addresses

Configuring Rate Limiting on ARP Miss Messages based on Source IP Addresses

Context

If a network device is flooded with IP packets that contain unresolvable destination IP addresses, the device generates a large number of ARP Miss messages. This is because the device has no ARP entry that matches the next hop of the route. IP packets triggering ARP Miss messages are sent to the device for processing. The device generates a large number of temporary ARP entries and sends many ARP Request packets to the network, consuming a large number of CPU and bandwidth resources.

If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the device considers that an attack has been initiated from the source IP address.

If the ARP Miss packet processing mode is set to block, the CPU of the device discards excess ARP Miss messages and delivers an ACL to discard all subsequent packets that are sent from this source IP address. If the ARP Miss packet processing mode is set to none-block, the CPU discards excess ARP Miss messages. When ARP Miss messages are discarded, corresponding ARP Miss packets are discarded.

The maximum number of ARP Miss messages and ARP Miss packet processing mode can be set based on the actual network environment.

NOTE:

If the rate of ARP Miss messages triggered by IP packets from a source IP address exceeds 30 pps, excess ARP Miss messages are discarded, and the device discards all ARP Miss packets from this source IP address in the next five seconds. As a result, IP packets from the source IP address cannot trigger ARP learning, and ping packets sent by the source IP address are lost. To prevent this problem, set the maximum rate of ARP Miss packets sent from this source IP address to a large value.

Perform the following steps on the gateway.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure rate limiting on ARP Miss messages based on source IP addresses.

    • Run arp-miss speed-limit source-ip maximum maximum

      The maximum rate of ARP Miss messages triggered by IP packets from any source IP address is set.

    • Run arp-miss speed-limit source-ip ip-address [ mask mask ] maximum maximum [ none-block | block timer timer ]

      The maximum rate of ARP Miss messages triggered by IP packets from the specified IP address is set, and ARP Miss packet processing mode is specified.

    When the preceding configurations are both performed, the maximum rate set using the arp-miss speed-limit source-ip ip-address [ mask mask ] maximum maximum [ none-block | block timer timer ] command takes effect on ARP Miss messages triggered IP packets from the specified source IP address, and the maximum rate set using the arp-miss speed-limit source-ip maximum maximum command takes effect on ARP Miss messages triggered by IP packets from other source IP addresses.

    If the maximum rate of ARP Miss messages is set to 0, the rate of ARP Miss messages is not limited based on source IP addresses. By default, the device accepts a maximum of 30 ARP Miss messages triggered by IP packets from the same source IP address per second.

    If the number of ARP Miss messages triggered by IP packets from the same source IP address per second exceeds the limit, the device discards the excess ARP Miss packets. By default, a device uses the block mode to discard all ARP Miss packets from the source IP address within five minutes.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 136771

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next