R3303-HP HSR6800 Routers Security Configuration Guide
35
<Device> system-view
[Device] arp source-suppression enable
[Device] arp source-suppression limit 100
# Enable ARP blackhole routing.
<Device> system-view
[Device] arp resolving-route enable
Configuring ARP packet rate limit
The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU.
For example, if an attacker sends a large number of ARP packets to an ARP detection enabled device, the
CPU of the device becomes overloaded because all ARP packets are redirected to the CPU for inspection.
As a result, the device is unable to provide other functions or can crash. To solve this problem, configure
ARP packet rate limit.
Configure this feature when ARP detection or ARP snooping is enabled, or when ARP flood attacks are
detected.
To configure ARP packet rate limit:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure ARP packet rate limit.
• In standalone mode:
arp rate-limit { disable | rate
pps drop } slot slot-number
• In IRF mode:
arp rate-limit { disable | rate
pps drop } chassis
chassis-number slot
slot-number
Enabled by default.
The default ARP packet rate is
1024 pps.
Configuring ARP packet source MAC consistency
check
This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet
header is different from the sender MAC address in the message body, so that the gateway can learn
correct ARP entries.
To enable ARP packet source MAC address consistency check:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ARP packet source MAC
address consistency check.
arp anti-attack valid-check enable
Disabled by default.