4000 Router Series Security Configuration Guide

274

Configuration example

Network requirements

As shown in Figure 77, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN

20. Each area connects to the gateway (Device) through an access switch.

A large number of ARP requests are detected in the office area and are considered as the consequence

of an unresolvable IP attack. To prevent such attacks, configure ARP source suppression and ARP

blackhole routing.

Figure 77 Network diagram

Configuration considerations

If the attack packets have the same source address, configure the ARP source suppression function as

follows:

1. Enable ARP source suppression.

2. Set the threshold to 100. If the number of unresolvable IP packets received from a host within 5

seconds exceeds 100, the device stops resolving packets from the host until the 5 seconds elapse.

If the attack packets have different source addresses, enable the ARP blackhole routing function on the

gateway.

Configuration procedure

# Enable ARP source suppression and set the threshold to 100.

<Device> system-view

[Device] arp source-suppression enable

[Device] arp source-suppression limit 100

# Enable ARP blackhole routing.

[Device] arp resolving-route enable

IP network

Gateway

Device

R&D Office

VLAN 10 VLAN 20

Host A Host B Host C Host D

ARP attack protection