< Home

arp-miss speed-limit source-ip

Function

The arp-miss speed-limit source-ip command sets the maximum number of ARP Miss messages based on source IP addresses and specifies the mode for processing ARP Miss packets.

The undo arp-miss speed-limit source-ip command restores the default setting.

By default, the device processes a maximum of 30 ARP Miss messages triggered by IP packets from the same source IP address per second.

If the number of ARP Miss messages triggered by IP packets from the same source IP address per second exceeds the limit, the device discards the excess ARP Miss messages, that is, the device discards the excess ARP Miss packets. The device then uses the block mode to discard all ARP Miss packets from the source IP address within 5 minutes by default.

Only the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720-LI, S6720S-EI, S6720S-LI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this command.

Format

arp-miss speed-limit source-ip ip-address [ mask mask ] maximum maximum [ none-block | block timer timer ]

arp-miss speed-limit source-ip maximum maximum

undo arp-miss speed-limit source-ip [ ip-address [ mask mask ] ]

Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support [ none-block | block timer timer ].

Parameters

Parameter

Description

Value

ip-address

Specifies the source IP address. If this parameter is specified, the maximum number of ARP Miss messages triggered by packets from this IP address is limited.

If this parameter is not specified, the maximum number of ARP Miss messages triggered by packets from each IP address is limited.

The value is in dotted decimal notation.

mask mask

Specifies the mask of the IP address. If this parameter is specified, the maximum number of ARP Miss messages triggered by packets from IP addresses in the network segment is limited.

The value is an integer that ranges from 1 to 32.

maximum maximum

Specifies the maximum number of ARP Miss messages based on the source IP address.

NOTE:

If the maximum number of ARP Miss messages triggered by packets from each IP address is limited, a large value is recommended for this parameter because a small value may cause discarding of valid packets. However, a too large value will deteriorate the system performance.

If an IP address initiates attacks, you can set the maximum number of ARP Miss messages triggered by packets from this IP address to a small value.
The integer form, in pps, is as follows:
  • S2720-EI, S5720-LI, S5720S-LI: 0 to 2048
  • S5720I-SI, S5720-SI, S5720S-SI, S5735-L, S5735S-L, S5735S-L-M: 0 to 4096
  • S5735-S, S5735S-S, S5735-S-I: 0 to 8000
  • S5720-EI, S5731-S, S5731S-S: 0 to 16384
  • S5720-HI, S5730-HI, S5731-H, S5731S-H: 0 to 61440
  • S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S: 0 to 65536
  • S5730-SI, S5730S-EI, S6720-SI, S6720S-SI: 0 to 20000
  • S6720-LI, S6720S-LI: 0 to 8192
  • S6720-EI, S6720S-EI: 0 to 131072

none-block

Indicates that ARP Miss packets are processed in none-block mode. If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the CPU of the device discards the excess ARP Miss messages, that is, the CPU discards the excess ARP Miss packets.

-

block timer timer

Indicates that ARP Miss packets are processed in block mode. If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the device discards the excess ARP Miss messages and delivers an ACL to enable the chip to discard all packets that are sent from this source IP address within the period specified by timer. When the period specified by timer expires, the ACL ages out and the chip does not discard ARP Miss packets from the source IP address and sends them to the CPU for processing.

The value ranges from 5 to 864000, in seconds. The default value is 5 seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the device considers that an attack is initiated from the source IP address. If the ARP Miss message processing mode is set to block, the device discards excess ARP Miss packets from this source IP address and delivers an ACL to discard all subsequent packets sent from this source IP address. If the ARP Miss message processing mode is set to none-block, the device only discards excess ARP Miss packets.

The administrator can use the arp-miss speed-limit source-ip command to set the maximum number of ARP Miss packets and specify the mode for processing ARP Miss packets based on the actual network environment.

If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the device considers that an attack is initiated from the source IP address. The administrator can use the arp-miss speed-limit source-ip command to set the maximum number of ARP Miss messages that the device can process within a specified duration, protecting the system resources and ensuring proper running of other services.

Precautions

You can set the maximum number of ARP Miss messages for a maximum of 512 IP addresses.

If the ARP Miss packet processing mode is set to none-block, the device discards ARP Miss packets triggering excess ARP Miss messages to reduce CPU load. The non-block action can cause a high CPU usage, and the block action uses ACL resources. The default ARP Miss packet processing mode is recommended.

In the process of setting the maximum number of ARP Miss messages based on source IP addresses, if the ARP Miss packet processing mode is not specified, the device use the default processing mode block.

When the maximum number of ARP Miss packets exceeds the limit, the delivered ACL discards only the ARP Miss packets from the source IP address. Other packets can still be sent to the CPU.

A maximum of 16 ACLs can be delivered to the chip to discard ARP Miss packets from a specified IP address or network segment. When the device delivers 16 ACLs and all ACLs do not age out, and the number of ARP Miss packets from other IP addresses or network segments per second exceeds the limit, the device does not deliver any ACL to discard all subsequent packets and the CPU discards excess ARP packets.

The S5720I-SI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI cannot deliver ACLs to discard ARP Miss packets.

Example

# Set the maximum number of ARP Miss messages triggered by each source IP address per second to 60.

<HUAWEI> system-view
[HUAWEI] arp-miss speed-limit source-ip maximum 60

# Set the maximum number of ARP Miss messages triggered by the IP address 10.0.0.1 per second to 100, and set the maximum number of ARP Miss messages triggered by other source IP addresses per second to 60.

<HUAWEI> system-view
[HUAWEI] arp-miss speed-limit source-ip maximum 60
[HUAWEI] arp-miss speed-limit source-ip 10.0.0.1 maximum 100
Parent Topic: ARP Security Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >