Suppressing Transmission Rate Of Arp Packets; Establishing The Configuration Task - Huawei Quidway S9300 Configuration Manual

Terabit routing switch v100r001c03

Hide thumbs Also See for Quidway S9300:

Configuration manual - network management (630 pages)

Configuration manual (603 pages)

Configuration manual - multicast (262 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

page of 178

/ 178
Contents
Table of Contents
Bookmarks

Table of Contents

Quidway S9300 Terabit Routing Switch

Configuration Guide - Security

ARP gateway-duplicate anti-attack function: enabled

ARP anti-attack log-trap-timer: 30seconds

(The log and trap timer of speed-limit, default is 0 and means disabled.)

Run the display arp anti-attack gateway-duplicate item command, and you can view

information about bogus gateway address attack on the network.

<Quidway> display arp anti-attack gateway-duplicate item

interface

-------------------------------------------------------------------------------

GigabitEthernet1/0/1

-------------------------------------------------------------------------------

There are 2 records in gateway conflict table

Run the display arp anti-attack check user-bind interface interface-type interface-number

command, and you can view the configuration of the binding table for checking ARP packets.

<Quidway> display arp anti-attack check user-bind interface GigabitEthernet 1/0/0

arp anti-attack check user-bind enable

arp anti-attack check user-bind alarm enable

arp anti-attack check user-bind alarm threshold 50

arp total

4.5 Suppressing Transmission Rate of ARP Packets

This section describes how to suppress the transmission rate of the ARP packets.

4.5.1 Establishing the Configuration Task

4.5.2 Configuring Source-based ARP Suppression

4.5.3 Configuring Source-based ARP Miss Suppression

4.5.4 Setting the Suppression Time of ARP Miss Messages

4.5.5 Suppressing Transmission Rate of ARP Packets

4.5.6 Checking the Configuration

4.5.1 Establishing the Configuration Task

Applicable Environment

On an Ethernet Metropolitan Area Network (MAN), ARP entries are easily attacked; therefore,

it is required to configure ARP suppression features on the access layer or convergence layer to

ensure network security.

Issue 01 (2009-07-28)

To prevent excessive ARP packets from increasing the CPU workload and occupying

excessive ARP entries, you can suppress the transmission rate of ARP packets. Then the

transmission rate of the ARP packets transmitted to the main control board is limited.

To prevent a host from sending excessive IP packets whose destination IP addresses cannot

be resolved, you can suppress the source IP address that sends the packets, that is, configure

the suppression on ARP Miss source. Then these IP packets are discarded.

After the IP source guard function is enabled on an interface, all the ARP packets passing

through the interface are forwarded to the security module for check. If excessive ARP

Huawei Proprietary and Confidential

IP address

MAC address

2.1.1.1

0000-0000-0002

2.1.1.1

0000-0000-0004

4 ARP Security Configuration

VLANID

aging time

153

179

4-13

Table of Contents

Suppressing Transmission Rate Of Arp Packets; Establishing The Configuration Task - Huawei Quidway S9300 Configuration Manual

4.5 Suppressing Transmission Rate of ARP Packets

4.5.1 Establishing the Configuration Task

Related Manuals for Huawei Quidway S9300

Related Content for Huawei Quidway S9300

Table of Contents