3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

191

192

193

194

195

196

197

198

199

200

Configuring ARP Defense against IP Packet Attack 199

Configuring ARP

Defense against IP

Packet Attack

Introduction to ARP

Defense against IP

Packet Attack

In forwarding an IPv4 packet, a device depends on ARP to resolve the MAC

address of the next hop. If the address resolution is successful, the forwarding chip

forwards the packet directly. Otherwise, the device runs software for further

processing. When large amounts of IP packets for which ARP cannot resolve the IP

addresses of the next hops arrive at a device, the software on the device will be

called again and again and the CPU of the device will be overburdened. This is

called IP packet attack.

To protect a device against IP packet attack, you can configure the ARP defense

against IP packet attack function. After receiving an IP packet with the IP address

of the next hop unreachable (an IP packet that ARP cannot resolve the MAC

address of the next hop), a device with this function creates a black hole route

immediately and the forwarding chip simply drops all packets to the address. Note

that a black hole route can get aged, in which case a subsequent IP packet with

the same next hop triggers the above process. This protects the device against the

IP packet attack efficiently, reducing the load of the CPU.

Enabling ARP Defense

against IP Packet Attack

The ARP defense against IP packet attack function works for forwarded packets

and those originated by the device.

Follow these steps to configure ARP defense against IP packet attack:

Displaying and

Maintaining ARP

To do... Use the command... Remarks

Enter system view system-view -

Enable ARP defense

against IP packet attack

arp resolving-route enable Optional

Enabled by default

To do... Use the command... Remarks

Display the ARP entries in the

ARP mapping table

display arp { { all | dynamic |

static } [ slot slot-id ] | vlan

vlan-id | interface

interface-type

interface-number } [ [

verbose ] [ | { begin |

exclude | include } text ] |

count ]

Available in any view

Display the ARP entries for a

specified IP address

display arp ip-address [ slot

slot-id ] [ verbose ] [ | { begin

| exclude | include } text ]

Available in any view

Display the ARP entries for a

specified VPN instance

display arp vpn-instance

vpn-instance-name [ | { begin

| exclude | include } text |

count ]

Available in any view

Display the aging time for

dynamic ARP entries

display arp timer aging Available in any view