arp-miss anti-attack rate-limit enable
Function
The arp-miss anti-attack rate-limit enable command enables rate limit on ARP Miss messages.
The undo arp-miss anti-attack rate-limit enable command disables rate limit on ARP Miss messages.
By default, rate limit on ARP Miss messages is disabled.
Usage Guidelines
Usage Scenario
If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device, that is, if the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route, the device triggers a large number of ARP Miss messages. IP packets triggering ARP Miss messages are sent to the master control board for processing. The device generates a large number of temporary ARP entries and sends many ARP Request packets to the network, consuming a large number of CPU and bandwidth resources.
To avoid the preceding problems, configure rate limit on ARP Miss messages. The device collects statistics on ARP Miss messages. If the number of ARP Miss messages generated within the rate limit duration exceeds the threshold (the maximum number of ARP Miss messages), the gateway discards the IP packets triggering the excess ARP Miss messages.
Follow-up Procedure
Run the arp-miss anti-attack rate-limit command to set the maximum rate and rate limit duration of ARP Miss messages.
