Configuring Source-Based Arp Miss Suppression; Setting The Suppression Time Of Arp Miss Messages - Huawei Quidway S9300 Configuration Manual
Terabit routing switch
Hide thumbs
Also See for Quidway S9300:
- Configuration manual - network management (630 pages) ,
- Configuration manual (603 pages) ,
- Configuration manual - multicast (262 pages)
Table of Contents
Advertisement
Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
4.5.3 Configuring Source-based ARP Miss Suppression
Context
A user may have special requirements; therefore, you can set the timestamp suppression rate for
ARP Miss packets with a specified source IP address different from ARP Miss packets with
other source IP addresses.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
arp speed-limit source-ip maximum maximum
The suppression rate of ARP Miss packets is set.
Step 3 (Optional) Run:
arp speed-limit source-ip ip-address maximum maximum
The suppression rate of ARP Miss packets with a specified source IP address is set.
After the preceding configurations are complete, the suppression rate of ARP Miss packets with
a specified source IP address is the value specified by maximum in step 3, and the suppression
rate of ARP Miss packets with other source IP addresses is the value specified by maximum in
step 2.
If the suppression rate of ARP packets is set to 0, it indicates that ARP Miss packets are not
suppressed. By default, the suppression rate of ARP Miss packets is 5 pps.
----End
4.5.4 Setting the Suppression Time of ARP Miss Messages
Context
After the VLANIF interface receives unreachable IP unicast packets, the packets are sent to the
CPU of the main control board because the ARP entries corresponding to the packets are not
found in the forwarding table. Then, the main control board is triggered to learn ARP entries.
When the main control board learns ARP entries, it sends ARP broadcast request packets and
generates fake ARP entries. The main control board sends the fake ARP entries to the LPU. The
LPU does not send ARP Miss messages after receiving the fake ARP entry. If the main control
board does not learn valid ARP entries, it deletes fake ARP entries. Then, ARP Miss messages
are sent continuously and ARP learning is triggered again.
The fake ARP entry is aged within five seconds and thus deleted by default. That is, ARP Miss
messages are not sent to the CPU of the main control board within five seconds by default. When
a large number of fake ARP entries are generated on the S9300, the S9300 is attacked by
unknown packets. In this case, you can adjust the interval for sending unknown packets to reduce
the sent unknown unicast packets and the CPU usage of the main control board.
Issue 06 (2010–01–08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 ARP Security Configuration
4-17
Advertisement
Chapters
Table of Contents
