In ARP Security Configuration Commands_part 1, we mainly introduces arp-limit, but in this article, we will introduce arp anti-attack rate-limit enable.
arp anti-attack rate-limit enable
All firmware should be provided by the client and obtained from legally authorized way.
Function
The arp anti-attack rate-limit enable command enables rate limitation on ARP packets.
The undo arp anti-attack rate-limit enable command disables rate limitation on ARP packets.
By default, rate limitation on ARP packet is disabled.
Product | Support |
S2750 | Not Supported |
S5700 | Supported (excluding S5700LI and S5700S-LI) |
S6700 | Supported |
Format
arp anti-attack rate-limit enable
undo arp anti-attack rate-limit enable
Views
System view, VLAN view, 40GE interface view, GE interface view, XGE interface view, port group view, Eth-Trunk interface view
Default Level
2: Configuration level
Usage Guidelines
The device has no sufficient CPU resource to process other services when processing a large number of ARP packets. To protect CPU resources of the device, it’s necessary to limit the rate of ARP packets.
Run the arp anti-attack rate-limit enable command to enable rate limitation on ARP packets. When the rate of ARP packets exceeds the limitation, the remaining ARP packets will be discarded. If need to set the rate limitation and rate limitation duration of ARP packets, please run the arp anti-attack rate-limit command.
Example
# Enable rate limit on ARP packets globally.
<HUAWEI> system-view [HUAWEI] arp anti-attack rate-limit enable
arp anti-attack rate-limit
Function
The arp anti-attack rate-limit command sets the maximum rate and rate limitation duration of ARP packets globally, in a VLAN, or on an interface, enables the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limitation on an interface.
The undo arp anti-attack rate-limit command restores the default maximum rate and rate limitation duration of ARP packets globally, in a VLAN, or on an interface, and allows the device to send ARP packets to the CPU again.
By default, a maximum of 100 ARP packets are allowed to pass in 1 second, and the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limitation is disabled
Product | Support |
S2750 | Not Supported |
S5700 | Supported (excluding S5700LI and S5700S-LI) |
S6700 | Supported |
Format
System view, VLAN view
arp anti-attack rate-limit packet packet-number [ interval interval-value ]
undo arp anti-attack rate-limit
Interface view
arp anti-attack rate-limit packet packet-number [ interval interval-value | block-timer timer ]*
undo arp anti-attack rate-limit
Parameters
Parameter |
|
Description | Value |
---|---|---|---|
packet packet-number | Specifies the maximum rate of sending ARP packets, that is, the number of ARP packets allowed to pass through in the rate limit duration. | The value is an integer that ranges from 1 to 16384. The default value is 100. | |
interval interval-value | Specifies the rate limit duration of ARP packets. | The value is an integer that ranges from 1 to 86400, in seconds. The default value is 1 second. | |
block-timer timer | Specifies the duration for blocking ARP packets. | The value is an integer that ranges from 5 to 864000, in seconds. |
Views
System view, VLAN view, 40GE interface view, GE interface view, XGE interface view, port group view, Eth-Trunk interface view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
After rate limitation on ARP packets is enabled, run the arp anti-attack rate-limit command to set the maximum rate and rate limitation duration of ARP packets globally, in a VLAN, or on an interface. In the rate limitation duration, if the number of received ARP packets exceeds the limit, the device discards the remaining ARP packets.
If the parameter block-timer is specified, the device discards all ARP packets received in the duration specified by timer.
Prerequisites
Rate limitation on ARP packets has been enabled globally, in a VLAN, or on an interface using the arp anti-attack rate-limit enable command.
Precautions
If the maximum rate and rate limitation duration are configured in the system view, VLAN view, and interface view, the device should set the configurations in the interface view, VLAN view, and system view in order.
If the maximum rate and rate limitation duration are set globally or on an interface at the same time, the configurations on an interface and globally take effect in descending order of priority.
NOTE:
The arp anti-attack rate-limit command takes effect only on ARP packets sent to the CPU for processing in none-block mode, and does not affect ARP packet forwarding by the chip. In block mode, only when the number of ARP packets sent to the CPU exceeds the limit, the device discards subsequent ARP packets on the interface.
Example
# Configure GE0/0/1 to allow 200 ARP packet to pass through in 10 seconds, and configure GE0/0/1 to discard all ARP packets in 60 seconds when the number of ARP packets exceeds the limit.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60
We introduced some important parts of the ARP security command in this article, if need more detailed information, please contact us at sales@thunder-link.com.