< Home

arp-miss anti-attack rate-limit

Function

The arp-miss anti-attack rate-limit command sets the maximum rate and rate limiting duration of ARP Miss messages globally, in a VLAN, or on an interface.

The undo arp-miss anti-attack rate-limit command restores the default maximum rate and rate limiting duration of ARP Miss messages globally, in a VLAN, or on an interface.

By default, the device can process a maximum of 100 ARP Miss messages per second.

Only the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720-LI, S6720S-EI, S6720S-LI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this command.

Format

arp-miss anti-attack rate-limit packet packet-number [ interval interval-value ]

undo arp-miss anti-attack rate-limit

Parameters

Parameter

Description

Value

packet packet-number

Specifies the maximum rate of ARP Miss messages, that is, the number of ARP Miss messages the device processes in the rate limiting duration.

The value is an integer that ranges from 1 to 16384. The default value is 100.

interval interval-value

Specifies the rate limiting duration of ARP Miss messages.

The value is an integer that ranges from 1 to 86400, in seconds. The default value is 1 second.

Views

System view, VLAN view, GE interface view, 40GE interface view, XGE interface view, 25GE interface view, 100GE interface view, MultiGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP Miss messages is enabled, you can set maximum rate and rate limiting duration of ARP Miss messages globally, in a VLAN, or on an interface. If the number of ARP Miss messages triggered by IP packets in the rate limiting duration exceeds the limit, the device does not process the excess ARP Miss packets and discards the IP packets triggering the excess ARP Miss messages.

Prerequisites

Rate limit on ARP Miss messages has been enabled globally, in a VLAN, or on an interface using the arp-miss anti-attack rate-limit enable command.

Precautions

If rate limit on ARP Miss messages is configured in the system view, VLAN view, and interface view, the device uses the configurations in the interface view, VLAN view, and system view in order.

Example

# Configure the device to process a maximum of 200 ARP Miss messages triggered by IP packets from Layer 2 interface GE0/0/1 in 10 seconds.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit packet 200 interval 10
# Configure the device to process a maximum of 200 ARP Miss messages triggered by IP packets from Layer 3 interface GE0/0/1 in 10 seconds.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit packet 200 interval 10
Parent Topic: ARP Security Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >