Introduction To Arp Packet Rate Limit; Introduction To Gratuitous Arp - H3C S5600 Series Operation Manual

Operation Manual – ARP
H3C S5600 Series Ethernet Switches
With trusted ports configured, ARP packets coming from the trusted ports will not
be checked, while those from other ports will be checked through the DHCP
snooping table or the manually configured IP binding table.
With the ARP restricted forwarding function enabled, ARP request packets are
forwarded through trusted ports only; ARP response packets are forwarded
according to the MAC addresses in the packets, or through trusted ports if the
MAC address table contains no such destination MAC addresses.

1.1.6 Introduction to ARP Packet Rate Limit

To prevent the man-in-the-middle attack, a switch enabled with the ARP attack
detection function delivers ARP packets to the CPU to check the validity of the packets.
However, this causes a new problem: If an attacker sends a large number of ARP
packets to a port of a switch, the CPU will get overloaded, causing other functions to fail,
and even the whole device to break down. To guard against such attacks, S5600 series
Ethernet switches support the ARP packets rate limit function, which will shut down the
attacked port, thus preventing serious impact on the CPU.
With this function enabled on a port, the switch will count the ARP packets received on
the port within each second. If the number of ARP packets received on the port per
second exceeds the preconfigured value, the switch considers that the port is attacked
by ARP packets. In this case, the switch will shut down the port. As the port does not
receive any packet, the switch is protected from the ARP packet attack.
At the same time, the switch supports automatic recovery of port state. If a port is shut
down by the switch due to high packet rate, the port will revert to the Up state after a
configured period of time.

1.1.7 Introduction to Gratuitous ARP

The following are the characteristics of gratuitous ARP packets:
Both source and destination IP addresses carried in a gratuitous ARP packet are
the local addresses, and the source MAC address carried in it is the local MAC
addresses.
If a device finds that the IP addresses carried in a received gratuitous packet
conflict with those of its own, it returns an ARP response to the sending device to
notify of the IP address conflict.
By sending gratuitous ARP packets, a network device can:
Determine whether or not IP address conflicts exist between it and other network
devices.
Trigger other network devices to update its hardware address stored in their
caches.
With the gratuitous ARP packet learning function enabled:
1-6
Chapter 1 ARP Configuration