R211x-HP Flexfabric 11900 Security Configuration Guide
217
Configuring unresolvable IP attack protection
If a device receives a large number of unresolvable IP packets from a host, the following situations can
occur.
• The device sends a large number of ARP requests, overloading the target subnets.
• The device keeps trying to resolve target IP addresses, overloading its CPU.
To protect the device from such unresolvable IP attacks, you can configure the following features:
• ARP source suppression—Stops resolving packets from a host if the upper limit on unresolvable IP
packets from the host is reached within an interval of 5 seconds. The device continues ARP
resolution when the interval elapses. This feature is applicable if the attack packets have the same
source addresses.
• ARP blackhole routing—Creates a blackhole route destined for an unresolvable IP address. The
device drops all matching packets until the blackhole route ages out. This feature is applicable
regardless of whether the attack packets have the same source addresses.
Configuring ARP source suppression
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ARP source suppression.
arp source-suppression
enable
By default, ARP source suppression is
disabled.
3. Set the maximum number of
unresolvable packets that the
device can receive from a host
within 5 seconds.
arp source-suppression
limit limit-value
By default, the maximum number is 10.
Enabling ARP blackhole routing
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ARP blackhole routing.
arp resolving-route enable
By default, ARP blackhole routing
is enabled.
Displaying and maintaining unresolvable IP attack protection
Execute display commands in any view.
Task Command
Display ARP source suppression configuration information.
display arp source-suppression