Configuring The Arp Packet Rate Limit Function - H3C S3100 8C SI Operation Manual

Operation Manual – ARP
H3C S3100 Series Ethernet Switches
Note:
You need to enable DHCP snooping and configure DHCP snooping trusted ports on
the switch before configuring the ARP attack detection function. For more
information about DHCP snooping, refer to the DHCP snooping section in the part
discussing DHCP in this manual.
Generally, the uplink port of a switch is configured as a trusted port.
Before enabling ARP restricted forwarding, make sure you enable ARP attack
detection and configure ARP trusted ports.
Currently, the VLAN ID of an IP-to-MAC binding configured on a port of an S3100-EI
series Ethernet switch is the same as the default VLAN ID of the port. If the VLAN
tag of an ARP packet is different from the default VLAN ID of the receiving port, the
ARP packet cannot pass the ARP attack detection based on the IP-to-MAC
bindings.
When you use the ARP attack detection in cooperation with VLAN mapping, you
need to enable ARP attack detection in both the original VLAN and the mapped
VLAN. For more information about VLAN mapping, refer to VLAN-VPN Operation in
this manual.
You are not recommended to configure ARP attack detection on the ports of an
aggregation group.

1.2.4 Configuring the ARP Packet Rate Limit Function

Table 1-7 Configure the ARP packet rate limit function
Enter system view
Enter Ethernet port view
Enable the ARP packet
rate limit function
Configure the maximum
ARP packet rate allowed
on the port
Quit to system view
Enable the port state
auto-recovery function
Operation
system-view
interface interface-type
interface-number
arp rate-limit enable
arp rate-limit rate
quit
arp protective-down
recover enable
Command
1-10
Chapter 1 ARP Configuration
Remarks
—
—
Required
By default, the ARP
packet rate limit function
is disabled on a port.
Optional
By default, the maximum
ARP packet rate allowed
on a port is 15 pps.
—
Optional
By default, the port state
auto-recovery function is
disabled.