No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Rate Limit for ARP Packets to Be Sent to the CPU

Configuring a Rate Limit for ARP Packets to Be Sent to the CPU

Before configuring a rate limit for Address Resolution Protocol (ARP) packets to be sent to the CPU, familiarize yourself with the applicable environment, complete the pre-configuration tasks for the configuration.

Applicable Environment

You can configure a rate limit for ARP packets to be sent to the CPU in the following situations:

  • The router has many sub-interfaces configured, and therefore may encounter ARP request packet bursts.

  • The router has received a large number of ARP request packets, and valid ARP packets are affected.

Pre-configuration Tasks

Before configuring a rate limit for ARP packets to be sent to the CPU, complete the following task:

  • Configuring link layer protocol parameters and IP addresses for interfaces to ensure that the link layer protocol on each interface is Up

Configuration Procedures

You can choose one or more configuration tasks as required.

Enabling ARP Bidirectional Isolation

Address Resolution Protocol (ARP) bidirectional isolation enables the router to process ARP request and reply packets separately, improving the fault locating efficiency when a large number of ARP packets are received in a short period.

Context

Configure ARP bidirectional isolation on interfaces of the router.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number [ .sub-interface-number ]

    The interface view is displayed.

  3. Run arp-safeguard enable

    ARP bidirectional isolation is enabled.

    NOTE:

    ARP bidirectional isolation is mutually exclusive to of L2VPN and proxy ARP. Before configuring ARP bidirectional isolation, delete L2VPN and proxy ARP configurations, if present.

  4. Run commit

    The configuration is committed.

Configuring ARP VLAN CAR

ARP VLAN CAR allows you to limit the rate of ARP packets on the attacked interface without affecting other interfaces. This minimizes the impact of attacks on devices and services. After the alarm function is enabled for ARP VLAN CAR and the number of ARP packets to be sent to the CPU exceeds the threshold configured for ARP VLAN CAR, an alarm is reported.

Context

Configure ARP VLAN CAR on interfaces of the router

This feature is supported only on the Admin-VS.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run slot slot-id

    The slot view is displayed.

  3. Run undo alarm drop-rate arp-vlan-car disable

    The alarm function is enabled for ARP VLAN CAR.

  4. Run quit

    Return to the system view.

  5. Run interface interface-type interface-number [ .sub-interface-number ]

    The interface view is displayed.

  6. Run arp rate-limit rate

    The rate limit of ARP VLAN CAR for ARP packets on an interface is configured.

    NOTE:

    If you configure a rate limit (1024 pps, for example) which is larger than the default rate limit of CP-CAR, the configured ARP VLAN CAR cannot take effect. CP-CAR can be configured by running the car arp cir cir-value command. For details, see Configuring the CAR. The configuration of CP-CAR can be checked by running the display cpu-defend car information command.

  7. Run quit

    Return to the system view.

  8. (Optional)
    1. Run slot slot-id

      The slot view is displayed.

    2. Run arp attack rate-limit-percent limit-rate

      The percentage of the bandwidth of level-2 CAR for ARP VLAN CAR in the bandwidth of CP-CAR for ARP protocol packets is configured.

    3. Run quit

      Return to the system view.

  9. Run commit

    The configuration is committed.

Checking the Configuration

After configuring the rate limit for Address Resolution Protocol (ARP) packets to be sent to the CPU, you can check the configuration.

Procedure

  • Run the display arp-safeguard statistics slot slot-id command to check ARP bidirectional isolation statistics on an interface board.
  • Run the display arp rate-limit interface interface-type interface-number command to check the ARP packet rate limit on an interface.
  • Run the display arp attack interface interface-type interface-number [ vlan-id vlan-id ] [ history ] command to check ARP attack information on an interface.
  • Run the display arp attack slot { slot-id | all } [ history ] command to check ARP attack information on an interface board.

Example

Run the display arp-safeguard statistics slot slot-id command to view ARP bidirectional isolation statistics on an interface board. For example:

<HUAWEI> display arp-safeguard statistics slot 1
ArpRequest-Count : 23
ArpReply-Count   : 23
ArpToCp-Count    : 23
ArpDrop-Count    : 23

Run the display arp rate-limit interface interface-type interface-number command to view the ARP packet rate limit of an interface. For example:

<HUAWEI> display arp rate-limit interface gigabitethernet 0/1/0
 Interface: GigabitEthernet0/1/0
arp rate-limit: 20(default-value)
Run the display arp attack interface interface-type interface-number command to view ARP attack information on an interface. For example:
<HUAWEI> display arp attack interface gigabitethernet 0/1/0
The number of ARP attacks is 30. 
-------------------------------------- 
No.1 
Interface Name : GigabitEthernet0/1/0 
Logic interface: GigabitEthernet0/1/0.1 
Vlan-id : 1 
EnableArpCar : 1 (1:Enable 0:Disable) 
Passed : 1714688 Bytes 
12608 Packets 
Dropped : 2456738272 Bytes 
18064252 Packets 

Defend Start Time : 2017-01-11 11:05 
Defend End Time : -- 
-------------------------------------- 
......
--------------------------------------                                          
No.30                                                                           
Interface Name : GigabitEthernet0/1/0                                           
Logic interface: GigabitEthernet0/1/0.1                                         
Vlan-id        : 1                                                              
EnableArpCar   : 1 (1:Enable 0:Disable)                                         
Passed         : 6300356 Bytes                                                  
                 46312 Packets                                                  
Dropped        : 9042546988 Bytes                                               
                 66470246 Packets                                               
                                                                                
Defend  Start Time  : 2017-01-11 11:05                                          
Defend  End   Time  : --                                                        
--------------------------------------   
Run the display arp attack slot all command to view information about all ARP attacked interface boards. For example:
<HUAWEI> display arp attack slot all
The number of ARP attacks is 30.                                                
--------------------------------------                                          
No.1                                                                            
Interface Name : GigabitEthernet0/1/0                                           
Logic interface: GigabitEthernet0/1/0.1                                         
Vlan-id        : 30                                                             
EnableArpCar   : 1 (1:Enable 0:Disable)                                         
Passed         : 4086388 Bytes                                                  
                 30030 Packets                                                  
Dropped        : 5862883576 Bytes                                               
                 43086312 Packets                                               
                                                                                
Defend  Start Time  : 2017-01-11 11:05                                          
Defend  End   Time  : --                                                        
--------------------------------------                                          
......                                                       
--------------------------------------                                          
No.30                                                                           
Interface Name : GigabitEthernet0/1/0                                           
Logic interface: GigabitEthernet0/1/0.1                                         
Vlan-id        : 1                                                              
EnableArpCar   : 1 (1:Enable 0:Disable)                                         
Passed         : 4072948 Bytes                                                  
                 29934 Packets                                                  
Dropped        : 5843635500 Bytes                                               
                 42948838 Packets                                               
                                                                                
Defend  Start Time  : 2017-01-11 11:05                                          
Defend  End   Time  : --                                                        
--------------------------------------                                          
Board-based ARP VLAN CAR statistics:                                            
Passed         : 84344640 Bytes                                                 
                 619598 Packets                                                 
Dropped        : 39206700 Bytes                                                 
                 288157 Packets
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 21467

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next