H3C S7500E Series Ethernet Switches Operation Manual

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

911

912

913

914

915

916

917

918

919

920

Operation Manual – ARP

H3C S7500E Series Ethernet Switches Chapter 1 ARP Configuration

1-8

z The device sends large amounts of ARP request messages to the destination

subnet, which increases the load of the destination subnet.

z The device continuously resolves destination IP addresses, which increase the

load of the CPU.

To protect the device against this kind of attack, you can enable the ARP source

suppression function. With the function enabled, whenever the number of packets with

unresolvable IP addresses that a host on the network sends to the device within five

seconds exceeds the specified threshold, the device drops all subsequent packets with

the same source IP address in another five coming seconds. This helps in protecting

the device against the attack.

1.4.2 Configuring ARP Source Suppression

Follow these steps to configure ARP source suppression:

To do… Use the command… Remarks

Enter system view

system-view

—

Enable ARP source

suppression

arp source-suppression

enable

Required

Disabled by default.

Set the maximum number of

packets with the same source IP

address but unresolvable

destination IP addresses that

the device can receive in five

seconds

arp source-suppression

limit limit-value

Optional

10 by default.

1.5 Configuring ARP Defense Against IP Packet Attack

1.5.1 Introduction to ARP Defense Against IP Packet Attack

In forwarding an IPv4 packet, a device depends on ARP to resolve the MAC address of

the next hop. If the address resolution is successful, the forwarding chip forwards the

packet directly. Otherwise, the device runs software for further processing. When large

amounts of IP packets for which ARP cannot resolve the IP addresses of the next hops

arrive at a device, the software on the device will be called again and again and the

CPU of the device will be overburdened. This is called IP packet attack.

To protect a device against IP packet attack, you can configure the ARP defense

against IP packet attack function. After receiving an IP packet with the IP address of the

next hop unreachable (an IP packet that ARP cannot resolve the MAC address of the

next hop), a device with this function creates a black hole route immediately and the

forwarding chip simply drops all packets to the address. Note that a black hole route

can get aged, in which case a subsequent IP packet with the same next hop triggers the