Task
prevention
Configuring ARP defense against IP packet attacks
Introduction
If the device receives a large number of IP packets from a host addressed to unreachable destinations,
•
The device sends a large number of ARP requests to the destination subnets, and thus the load of the
destination subnets increases.
The device keeps trying to resolve destination IP addresses, which increases the load on the CPU.
•
To protect the device from IP packet attacks, you can enable the ARP source suppression function or ARP
black hole routing function.
If the packets have the same source address, you can enable the ARP source suppression function. With
the function enabled, you can set a threshold for the number of ARP requests that a sending host can
trigger in five seconds with packets with unresolvable destination IP addresses. When the number of ARP
requests exceeds that threshold, the device suppresses the host from triggering any ARP requests in the
following five seconds.
If the packets have various source addresses, you can enable the ARP black hole routing function. After
receiving an IP packet whose destination IP address cannot be resolved by ARP, the device with this
function enabled immediately creates a black hole route and simply drops all packets matching the route
during the aging time of the black hole route.
Configuring ARP source suppression
Follow these steps to configure ARP source suppression:
To do...
Enter system view
Configuring ARP active acknowledgement
Configuring ARP detection
Configuring ARP automatic scanning and fixed
ARP
Configuring ARP gateway protection
Configuring ARP filtering
Remarks
Optional
Configure this function on gateways
(recommended).
Optional
Configure this function on access
devices (recommended).
Optional
Configure this function on gateways
(recommended).
Optional
Configure this function on access
devices (recommended).
Optional
Configure this function on access
devices (recommended).
Use the command...
system-view
331
Remarks
—