R2511-HP MSR Router Series Security Configuration Guide(V5)
407
• The device keeps trying to resolve target IP addresses, overloading its CPU.
To protect the device from attack packets that have the same source address, you can configure ARP
source suppression. You can set the maximum number of unresolvable IP packets that the device can
process within 5 seconds. If the threshold is reached, the device stops resolving packets from the host until
the 5 seconds elapse.
Configuring ARP source suppression
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ARP source suppression.
arp source-suppression enable Disabled by default.
3. Set the maximum number of unresolvable
packets that the device can receive from a
device in 5 seconds.
arp source-suppression limit
limit-value
Optional.
10 by default.
Displaying and maintaining ARP source suppression
Task Command
Remarks
Display ARP source suppression
configuration information.
display arp source-suppression [ | { begin
| exclude | include } regular-expression ]
Available in any view.
Configuration example
Network requirements
As shown in Figure 134, a LAN contains two areas: an R&D area in VLAN 10 and an office area in
VLAN 20. The two areas connect to the gateway (Device) through an access switch respectively.
A large number of ARP requests are detected in the office area and are considered as a consequence of
an IP flood attack. To prevent such attacks, configure ARP source suppression.