Suppressing Transmission Rate Of Arp Packets - Huawei Quidway S9300 Configuration Manual

Terabit routing switch v100r001c03

Hide thumbs Also See for Quidway S9300:

Configuration manual - network management (630 pages)

Configuration manual (603 pages)

Configuration manual - multicast (262 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

page of 178

/ 178
Contents
Table of Contents
Bookmarks

Table of Contents

4 ARP Security Configuration

Context

After the VLANIF interface receives unreachable IP unicast packets, the packets are sent to the

CPU of the main control board because the ARP entries corresponding to the packets are not

found in the forwarding table. Then, the main control board is triggered to learn ARP entries.

When the main control board learns ARP entries, it sends ARP broadcast request packets and

generates fake ARP entries. The main control board sends the fake ARP entries to the LPU. The

LPU does not send ARP Miss messages after receiving the fake ARP entry. If the main control

board does not learn valid ARP entries, it deletes fake ARP entries. Then, ARP Miss messages

are sent continuously and ARP learning is triggered again.

The fake ARP entry is aged within five seconds and thus deleted by default. That is, ARP Miss

messages are not sent to the CPU of the main control board within five seconds by default. When

a large number of fake ARP entries are generated on the S9300, the S9300 is attacked by

unknown packets. In this case, you can adjust the interval for sending unknown packets to reduce

the sent unknown unicast packets and the CPU usage of the main control board.

Procedure

Step 1 Run:

system-view

The system view is displayed.

Step 2 Run:

interface vlanif interface-number

The VLANIF interface view is displayed.

Step 3 Run:

arp-miss suppress suppress-time

The suppression time for the S9300 to send ARP Miss messages is set.

By default, the suppression time for the S9300 to send ARP Miss messages is 5 seconds.

----End

4.5.5 Suppressing Transmission Rate of ARP Packets

Context

Before configuring the global ARP suppression, ensure that the IP source guard function is

enabled on the interface.

Procedure

Step 1 Run:

system-view

The system view is displayed.

Step 2 Run:

arp anti-attack rate-limit enable

The transmission rate of ARP packets is limited.

4-16

Huawei Proprietary and Confidential

Quidway S9300 Terabit Routing Switch

Configuration Guide - Security

Issue 01 (2009-07-28)

Table of Contents

Suppressing Transmission Rate Of Arp Packets - Huawei Quidway S9300 Configuration Manual

4.5.5 Suppressing Transmission Rate of ARP Packets

Related Manuals for Huawei Quidway S9300

Related Content for Huawei Quidway S9300

Table of Contents