No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Rate Limiting on ARP Packets Globally, in a VLAN, or on an Interface

Configuring Rate Limiting on ARP Packets Globally, in a VLAN, or on an Interface

Context

When processing a large number of ARP packets, a device consumes many CPU resources and cannot process other services. To protect CPU resources of the device, limit the rate of ARP packets.

After rate limiting on ARP packets is enabled, set the maximum rate and rate limiting duration of ARP packets globally, in a VLAN, or on an interface. In the rate limiting duration, if the number of received ARP packets exceeds the limit, the device discards the excess ARP packets.
  • Limiting the rate of ARP packets globally: limits the number of ARP packets processed on the entire device.

  • Limiting the rate of ARP packets in a VLAN: limits the number of ARP packets to be processed on all interfaces in a VLAN. The configuration in a VLAN does not affect ARP entry learning on interfaces in other VLANs.

  • Limiting the rate of ARP packets on an interface: limits the number of ARP packets processed on an interface. The configuration on an interface does not affect ARP entry learning on other interfaces.

If the maximum rate and rate limiting duration are configured in the system view, VLAN view, and interface view at the same time, the device uses the configurations in the interface view, VLAN view, and system view in order.

If you want the device to generate alarms to notify the network administrator of a large number of discarded excess ARP packets, enable the alarm function. When the number of discarded ARP packets exceeds the alarm threshold, the device generates an alarm.

Perform the following steps on the gateway.

NOTE:

MAC-Forced Forwarding (MFF) may increase the load on an access device's CPU. This is because the MFF module may forward too many ARP packets whose destination IP addresses are different from the IP address of the interface receiving these packets. To resolve this problem, limit the rate of ARP packets globally, in a VLAN, or on an interface.

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run interface interface-type interface-number or vlan vlan-id

    The interface or VLAN view is displayed.

    If you configure rate limiting on ARP packets in the system view, skip the preceding step.

  3. (Optional) On an Ethernet interface, run undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

  4. Run arp anti-attack rate-limit enable

    Rate limiting on ARP packets is enabled.

    By default, rate limiting on ARP packets is disabled.

    After the optimized ARP reply function (disabled by default) is enabled using the undo arp optimized-reply disable command, rate limiting on ARP packets globally, in a VLAN, or on an Interface does not take effect.

  5. Run arp anti-attack rate-limit packet packet-number [ interval interval-value | block-timer timer ] *

    The maximum rate and rate limiting duration for ARP packets are set, and the function to discard all ARP packets received from the interface when the rate of ARP packets exceeds the limit (block mode) is enabled.

    The system view and VLAN view do not support block timer timer.

    By default, a maximum of 100 ARP packets are allowed to pass per second, and the function to discard all ARP packets received from the interface when the rate of ARP packets exceeds the limit is disabled.

    NOTE:

    This command can be configured on a maximum of 32 interfaces.

    The arp anti-attack rate-limit command takes effect only on ARP packets sent to the CPU for processing in none-block mode, and does not affect ARP packet forwarding by the chip. In block mode, only when the number of ARP packets sent to the CPU exceeds the limit, does the device discard subsequent ARP packets on the interface.

  6. (Optional) Run arp anti-attack rate-limit alarm enable

    The alarm function for discarded ARP packets when the rate of ARP Miss packets exceeds the limit is enabled.

    By default, the alarm function for ARP packets discarded when the rate of ARP packets exceeds the limit is disabled.

  7. (Optional) Run arp anti-attack rate-limit alarm threshold threshold

    The alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit is set.

    By default, the alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit is 100.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 126483

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next