R3102-R3103-HP 6600/HSR6600 Routers Security Configuration Guide
511
Configuration procedure
# Enable ARP source suppression and set the threshold to 100.
<Device> system-view
[Device] arp source-suppression enable
[Device] arp source-suppression limit 100
# Enable ARP black hole routing.
<Device> system-view
[Device] arp resolving-route enable
Configuring ARP packet rate limit
The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU.
For example, if an attacker sends a large number of ARP packets to an ARP detection enabled device, the
CPU of the device becomes overloaded because all ARP packets are redirected to the CPU for inspection.
As a result, the device is unable to provide other functions or can crash. To solve this problem, configure
ARP packet rate limit.
Configure this feature when ARP detection or ARP snooping is enabled, or when ARP flood attacks are
detected.
To configure ARP packet rate limit:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure ARP packet rate limit.
arp rate-limit { disable | rate
pps drop } slot slot-number
Enabled by default.
The value range for ARP packet rate
is 5 to 8192 pps.
Configuring ARP packet source MAC consistency
check
This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet
header is different from the sender MAC address in the message body, so that the gateway can learn
correct ARP entries.
To enable ARP packet source MAC address consistency check:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ARP packet source MAC
address consistency check.
arp anti-attack valid-check enable Disabled by default.