Configuring The Arp Packet Rate Limit Function - H3C S5600 Series Operation Manual

To do...
Enable the ARP attack detection
function
Enable ARP restricted forwarding
When most clients acquire IP addresses through DHCP and some clients use static IP addresses,
you need to enable DHCP snooping and configure static IP binding entries on the switch. These
functions can cooperate with ARP attack detection to check the validity of packets.
You need to use ARP attack detection based on authenticated 802.1x clients together with
functions of both MAC-based 802.1x authentication and ARP attack detection.
Currently, the VLAN ID of an IP-to-MAC binding configured on a port of an S5600 series Ethernet
switch is the same as the default VLAN ID of the port. If the VLAN tag of an ARP packet is different
from the default VLAN ID of the receiving port, the ARP packet cannot pass the ARP attack
detection based on the IP-to-MAC bindings.
Before enabling ARP restricted forwarding, make sure you have enabled ARP attack detection and
configured ARP trusted ports.
You are not recommended to configure ARP attack detection on the ports of a fabric or an
aggregation group.

Configuring the ARP Packet Rate Limit Function

Follow these steps to configure the ARP packet rate limit function:
To do...
Enter system view
Enter Ethernet port view
Enable the ARP packet rate limit
function
Configure the maximum ARP
packet rate allowed on the port
Quit to system view
Enable the port state auto-recovery
function
Use the command...
arp detection enable
arp restricted-forwarding enable
Use the command...
system-view
interface interface-type
interface-number
arp rate-limit enable
arp rate-limit rate
quit
arp protective-down recover
enable
2-7
Remarks
Required
By default, ARP attack detection is
disabled on all ports.
Optional
Disabled by default.
Remarks
—
—
Required
By default, the ARP packet rate
limit function is disabled on a port.
Optional
By default, the maximum ARP
packet rate allowed on a port is 15
pps.
—
Optional
Disabled by default.