Optional) Configuring The S9300 To Discard Gratuitous Arp Packets; Enabling Log And Alarm Functions For Potential Attacks - Huawei Quidway S9300 Configuration Manual

Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
4.4.7 (Optional) Configuring the S9300 to Discard Gratuitous ARP
Packets
Context
If a large number of gratuitous ARP packets are sent to attack the S9300, the S9300 cannot
process valid ARP packets. You can configure the S9300 to discard the gratuitous ARP packets.
The function of discarding gratuitous ARP packets can be enabled in the system view or the
VLANIF interface view.
l
l
l
Procedure
l
l
----End

4.4.8 Enabling Log and Alarm Functions for Potential Attacks

Issue 06 (2010–01–08)
If the function is enabled in the system view, all the interfaces of the S9300 discard the
gratuitous ARP packets.
If the function is enabled in the VLANIF interface view, the VLANIF interface discards
the gratuitous ARP packets.
Before enabling an interface to discard gratuitous ARP packets, you do not need to enable
the function globally.
Enabling the function of discarding gratuitous ARP packets globally
1. Run:
system-view
The system view is displayed.
2. Run:
arp anti-attack gratuitous-arp drop
The S9300 is enabled to discard gratuitous ARP packets.
By default, the S9300 does not discard gratuitous ARP packets.
Enabling the function of discarding gratuitous ARP packets on an VLANIF interface
1. Run:
system-view
The system view is displayed.
2. Run:
interface vlanif interface-number
The VLANIF interface view is displayed.
Generally, this function is enabled on the user-side interface.
3. Run:
arp anti-attack gratuitous-arp drop
The interface is enabled to discard gratuitous ARP packets.
By default, the interfaces of the S9300 do not discard gratuitous ARP packets.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 ARP Security Configuration
4-13