Configuring Arp Packet Rate Limit; Configuring Arp Packet Source Mac Address Consistency Check; Configuration Procedure - HP A6600 Configuration Manual

ARP black hole routing configuration
2.
# Enable ARP black hole routing on the device.
<Device> system-view
[Device] arp resolving-route enable

Configuring ARP packet rate limit

This feature allows you to limit the rate of ARP packets to be delivered to the CPU. For example, if an
attacker sends a large number of ARP packets to an ARP detection enabled device, the CPU of the
device becomes overloaded because all the ARP packets are redirected to the CPU for checking. As a
result, the device fails to deliver other functions properly or even crashes. To solve this problem,
configure ARP packet rate limit.
Enable this feature after the ARP detection, ARP snooping, or MFF feature is configured, or use this
feature to prevent ARP flood attacks.
To configure ARP packet rate limit in system view:
To do...
1. Enter system view.
2. Configure ARP packet rate
limit (for centralized
devices).
3. Configure ARP packet rate
limit (for distributed
devices).
Configuring ARP packet source MAC address
consistency check
This feature enables a gateway device to filter out ARP packets with a source MAC address in the
Ethernet header different from the sender MAC address in the message body, so that the gateway
device can learn correct ARP entries.

Configuration procedure

To do...
1. Enter system view.
2. Enable ARP packet source MAC
address consistency check.
Command...
system-view
arp rate-limit { disable | rate
pps drop }
arp rate-limit { disable | rate
pps drop } [ slot slot-number ]
Command...
system-view
arp anti-attack valid-check enable
418
Remarks
—
Required.
Enabled by default.
The ARP packet rate ranges from 5 to
8192 pps.
Required.
Enabled by default.
The ARP packet rate ranges from 5 to
8192 pps.
Remarks
—
Required
Disabled by default