Configuring Interface-Based Arp Entry Limitation; Checking The Configuration - Huawei Quidway S9300 Configuration Manual

4 ARP Security Configuration
----End

4.3.3 Configuring Interface-based ARP Entry Limitation

Context
If attackers occupy a large number of ARP entries, the S9300 cannot learn the ARP entries of
authorized users. To prevent such attacks, you can set the maximum number of ARP entries that
can be dynamically learned by an interface.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
The interface can be a GE interface, an Ethernet interface, an Eth-Trunk, or a VLANIF interface.
Step 3 Run:
arp-limit [ vlan vlan-id [ to vlan-id2 ]] maximum maximum
Interface-based ARP entry limitation is configured.
The vlan parameter can be only used on GE interfaces, Ethernet interfaces, or Eth-Trunks.
----End

4.3.4 Checking the Configuration

Prerequisite
The configurations of ARP entry limitation are complete.
Procedure
l
l
----End
4-6
By default, the configuration of strict ARP entry learning on an interface is the same
as that configured globally.
Run the display arp learning strict command to view the configuration of strict ARP entry
learning.
Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ]
command to view the maximum number of ARP entries that can be learned by an interface
or a VLAN.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
Issue 01 (2009-07-28)