Huawei Quidway S9300 Configuration Manual page 194
Terabit routing switch
Hide thumbs
Also See for Quidway S9300:
- Configuration manual - network management (630 pages) ,
- Configuration manual (603 pages) ,
- Configuration manual - multicast (262 pages)
Table of Contents
Advertisement
4 ARP Security Configuration
# Set the suppression rate for ARP packets sent by User 4 to 200 pps. To prevent all users from
sending a large number of ARP packets incorrectly, set the suppression rate for ARP packets of
the system to 300 pps.
[Quidway] arp speed-limit source-ip maximum 300
[Quidway] arp speed-limit source-ip 2.2.2.4 maximum 200
Step 6 Configure the rate suppression function for ARP Miss packets.
# Set the suppression rate for ARP Miss packets of the system to 400 pps to prevent users from
sending a large number of IP packets with an unreachable destination IP address.
[Quidway] arp-miss speed-limit source-ip maximum 400
# Set the suppression rate for ARP Miss packets on the server to 1000 pps to prevent the server
from sending a large number of IP packets with an unreachable destination IP address, and to
prevent communication on the network when the rate for the server to send IP packets with an
unreachable destination IP address is not as required.
[Quidway] arp-miss speed-limit source-ip 2.2.2.2 maximum 1000
Step 7 Enable log and alarm functions for potential attacks.
[Quidway] arp anti-attack log-trap-timer 30
Step 8 Verify the configuration.
After the configuration, run the display arp learning strict command, and you can view
information about strict ARP learning.
<Quidway> display arp learning strict
The global configuration:arp learning strict
interface
------------------------------------------------------------
------------------------------------------------------------
Total:0
force-enable:0
force-disable:0
You can use the display arp-limit command to check the maximum number of ARP entries
learned by the interface.
<Quidway> display arp-limit interface GigabitEthernet1/0/1
interface
---------------------------------------------------------------------------
GigabitEthernet1/0/1
---------------------------------------------------------------------------
Total:1
You can use the display arp anti-attack configuration all command to check the configuration
of ARP anti-attack.
<Quidway> display arp anti-attack configuration all
ARP anti-attack entry-check mode: fixed-MAC
ARP gateway-duplicate anti-attack function: enabled
ARP anti-attack log-trap-timer: 30seconds
(The log and trap timer of speed-limit, default is 0 and means disabled.)
ARP speed-limit for source-IP configuration:
IP-address
------------------------------------------------------------------------
2.2.4.2
Others
------------------------------------------------------------------------
1 specified IP addresses are configured, spec is 1024 items.
4-24
LimitNum
20
suppress-rate(pps)(rate=0 means function disabled)
200
300
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
LearningStrictState
VlanID
LearnedNum(Mainboard)
10
0
Issue 06 (2010–01–08)
Advertisement
Chapters
Table of Contents
