Configuring Arp Packet Rate Limit; Introduction - HP 3600 v2 Series Security Configuration Manual
Hide thumbs
Also See for 3600 v2 Series:
- Command reference manual (510 pages) ,
- Configuration manual (449 pages) ,
- Installation manual (62 pages)
Table of Contents
Advertisement
Configuring ARP packet rate limit
Introduction
The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU on
a switch. For example, if an attacker sends a large number of ARP packets to an ARP detection enabled
device, the CPU of the device will be overloaded because all of the ARP packets are redirected to the
CPU for checking. As a result, the device fails to deliver other functions properly or even crashes. To solve
this problem, you can configure ARP packet rate limit.
Enable this feature after the ARP detection, ARP snooping, or MFF feature is configured, or use this
feature to prevent ARP flood attacks.
Configuring ARP packet rate limit
When the ARP packet rate exceeds the rate limit set on an interface, the device with ARP packet rate limit
enabled sends trap and log messages to inform the event. To avoid too many trap and log messages, you
can set the interval for sending such messages. Within each interval, the device will output the peak ARP
packet rate in the trap and log messages.
Note that trap and log messages are generated only after the trap function of ARP packet rate limit is
enabled. Trap and log messages will be sent to the information center of the device. You can set the
parameters of the information center to determine the output rules of trap and log messages. The output
rules specify whether the messages are allowed to be output and where they are bound for. For the
parameter configuration of the information center, see Network Management and Monitoring
Configuration Guide.
Follow these steps to configure ARP packet rate limit:
To do...
Enter system view
Enable ARP packet rate limit
trap
Set the interval for sending trap
and log messages when ARP
packet rate exceeds the
specified threshold rate
Enter Layer 2 Ethernet
interface/Layer 2 aggregate
interface view
Configure ARP packet rate limit
NOTE:
If you enable ARP packet rate limit on a Layer 2 aggregate interface, trap and log messages are sent
•
when the ARP packet rate of a member port exceeds the preset threshold rate.
For more information about the snmp-agent trap enable arp rate-limit command, see the snmp-agent
•
trap enable arp command in the Network Management and Monitoring Command Reference.
Use the command...
system-view
snmp-agent trap enable arp
rate-limit
arp rate-limit information
interval seconds
interface interface-type
interface-number
arp rate-limit { disable | rate
pps drop }
334
Remarks
—
Optional
Enabled by default.
Optional
60 seconds by default.
—
Required
By default, ARP packet rate limit is
disabled.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
