3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

191

192

193

194

195

196

197

198

199

200

198 CHAPTER 20: ARP CONFIGURATION

A device can implement the following functions by sending gratuitous ARP

packets:

■ Determining whether its IP address is already used by another device.

■ Informing other devices of its MAC address change so that they can update

their ARP entries.

A device receiving a gratuitous ARP packet can add the information carried in the

packet to its own dynamic ARP entry table if it finds no corresponding ARP entry

for the ARP packet in the cache.

Configuring Gratuitous

ARP

Follow these steps to configure gratuitous ARP:

Configuring ARP

Source Suppression

Introduction to ARP

Source Suppression

If hosts on a network attack the device by sending large amounts of IP packets

whose IP addresses cannot be resolved, the following consequences will be

resulted in:

■ The device sends large amounts of ARP request messages to the destination

subnet, which increases the load of the destination subnet.

■ The device continuously resolves destination IP addresses, which increase the

load of the CPU.

To protect a device against this kind of attack, Switch 8800s provide for the ARP

source suppression function. With the function enabled, whenever the number of

packets with unresolvable IP addresses that a host sends to the device within five

seconds exceeds the specified threshold, the device drops all subsequent packets

with the same source IP address in another five coming seconds. This helps in

protecting the device against the attack.

Configuring ARP Source

Suppression

To do... Use the command... Remarks

Enter system view system-view -

Enable the device to send

gratuitous ARP packets

gratuitous-arp-sending

enable

Optional

Disabled by default

Enable the gratuitous ARP

packet learning function

gratuitous-arp-learning

enable

Required

Disabled by default

To Do... Use the command... Remarks

Enter system view system-view -

Enable ARP source

suppression

arp source-suppression

enable

Required

Disabled by default

Set the maximum number of

packets with the same source

IP address but unresolvable

destination IP addresses that

the device can receive in five

seconds

arp source-suppression

limit limit-value

Optional

10 by default