Support

ARP Security Configuration Commands_part 2

In ARP Security Configuration Commands_part 1, we mainly introduces arp-limit, but in this article, we will introduce arp anti-attack rate-limit enable.

arp anti-attack rate-limit enable

All firmware should be provided by the client and obtained from legally authorized way.

Function

The arp anti-attack rate-limit enable command enables rate limitation on ARP packets.

The undo arp anti-attack rate-limit enable command disables rate limitation on ARP packets.

By default, rate limitation on ARP packet is disabled.

Product Support
S2750 Not Supported
S5700 Supported (excluding S5700LI and S5700S-LI)
S6700 Supported

Huawei Switch.jpg

S5700-28P-PWR-LI-AC

PN: 02353175

In stock

3-5 days lead time | | 15 QA

Format

arp anti-attack rate-limit enable

undo arp anti-attack rate-limit enable

Views

System view, VLAN view, 40GE interface view, GE interface view, XGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

 

Usage Guidelines

The device has no sufficient CPU resource to process other services when processing a large number of ARP packets. To protect CPU resources of the device, it’s necessary to limit the rate of ARP packets.

Run the arp anti-attack rate-limit enable command to enable rate limitation on ARP packets. When the rate of ARP packets exceeds the limitation, the remaining ARP packets will be discarded. If need to set the rate limitation and rate limitation duration of ARP packets, please run the arp anti-attack rate-limit command.

Example

# Enable rate limit on ARP packets globally.

<HUAWEI> system-view
[HUAWEI] arp anti-attack rate-limit enable

Huawei Switch.jpg

 

arp anti-attack rate-limit

Function

The arp anti-attack rate-limit command sets the maximum rate and rate limitation duration of ARP packets globally, in a VLAN, or on an interface, enables the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limitation on an interface.

The undo arp anti-attack rate-limit command restores the default maximum rate and rate limitation duration of ARP packets globally, in a VLAN, or on an interface, and allows the device to send ARP packets to the CPU again.

By default, a maximum of 100 ARP packets are allowed to pass in 1 second, and the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limitation is disabled

Product Support
S2750 Not Supported
S5700 Supported (excluding S5700LI and S5700S-LI)
S6700 Supported

 

 

 

 

Huawei S6700 Switch.jpg

 

Format

System view, VLAN view

arp anti-attack rate-limit packet packet-number [ interval interval-value ]

undo arp anti-attack rate-limit

Interface view

arp anti-attack rate-limit packet packet-number [ interval interval-value | block-timer timer ]*

undo arp anti-attack rate-limit

 

Parameters

Parameter

 

Description Value
packet packet-number Specifies the maximum rate of sending ARP packets, that is, the number of ARP packets allowed to pass through in the rate limit duration. The value is an integer that ranges from 1 to 16384. The default value is 100.
interval interval-value Specifies the rate limit duration of ARP packets. The value is an integer that ranges from 1 to 86400, in seconds. The default value is 1 second.
block-timer timer Specifies the duration for blocking ARP packets. The value is an integer that ranges from 5 to 864000, in seconds.

Views

System view, VLAN view, 40GE interface view, GE interface view, XGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

 

Usage Guidelines

Usage Scenario

After rate limitation on ARP packets is enabled, run the arp anti-attack rate-limit command to set the maximum rate and rate limitation duration of ARP packets globally, in a VLAN, or on an interface. In the rate limitation duration, if the number of received ARP packets exceeds the limit, the device discards the remaining ARP packets.

If the parameter block-timer is specified, the device discards all ARP packets received in the duration specified by timer.

Prerequisites

Rate limitation on ARP packets has been enabled globally, in a VLAN, or on an interface using the arp anti-attack rate-limit enable command.

 

Precautions

If the maximum rate and rate limitation duration are configured in the system view, VLAN view, and interface view, the device should set the configurations in the interface view, VLAN view, and system view in order.

If the maximum rate and rate limitation duration are set globally or on an interface at the same time, the configurations on an interface and globally take effect in descending order of priority.

NOTE: 

The arp anti-attack rate-limit command takes effect only on ARP packets sent to the CPU for processing in none-block mode, and does not affect ARP packet forwarding by the chip. In block mode, only when the number of ARP packets sent to the CPU exceeds the limit, the device discards subsequent ARP packets on the interface.

Example

# Configure GE0/0/1 to allow 200 ARP packet to pass through in 10 seconds, and configure GE0/0/1 to discard all ARP packets in 60 seconds when the number of ARP packets exceeds the limit.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60

We introduced some important parts of the ARP security command in this article, if need more detailed information, please contact us at sales@thunder-link.com.

Related Posts