376
Configuring ARP packet rate limit
Introduction
The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU
on a switch. For example, if an attacker sends a large number of ARP packets to an ARP detection
enabled device, the CPU of the device will be overloaded because all of the ARP packets are redirected
to the CPU for checking. As a result, the device fails to deliver other functions properly or even crashes.
To solve this problem, you can configure ARP packet rate limit.
Enable this feature after the ARP detection, ARP snooping, or MFF feature is configured, or use this
feature to prevent ARP flood attacks.
Configuration procedure
When the ARP packet rate exceeds the rate limit set on an interface, the device with ARP packet rate limit
enabled sends trap and log messages to inform the event. To avoid too many trap and log messages, you
can set the interval for sending such messages. Within each interval, the device will output the peak ARP
packet rate in the trap and log messages.
Note that trap and log messages are generated only after the trap function of ARP packet rate limit is
enabled. Trap and log messages will be sent to the information center of the device. You can set the
parameters of the information center to determine the output rules of trap and log messages. The output
rules specify whether the messages are allowed to be output and where they are bound for. For the
parameter configuration of the information center, see Network Management and Monitoring
Configuration Guide.
If you enable ARP packet rate limit on a Layer 2 aggregate interface, trap and log messages are sent
when the ARP packet rate of a member port exceeds the preset threshold rate.
To configure ARP packet rate limit:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable ARP packet rate limit
trap.
snmp-agent trap enable arp
rate-limit
Optional.
Enabled by default.
For more information, see the
snmp-agent trap enable arp
command in Network Management
and Monitoring Command
Reference.
3. Set the interval for sending
trap and log messages when
ARP packet rate exceeds the
specified threshold rate.
arp rate-limit information interval
seconds
Optional.
60 seconds by default.
4. Enter Layer 2 Ethernet
interface/Layer 2 aggregate
interface view.
interface interface-type
interface-number
N/A
To Next Page
Loading...
Need help?
General