arp anti-attack rate-limit
Function
The arp anti-attack rate-limit command sets the maximum rate and rate limiting duration of ARP packets globally, in a VLAN, or on an interface, and enables the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limit on an interface.
The undo arp anti-attack rate-limit command restores the default maximum rate and rate limiting duration of ARP packets globally, in a VLAN, or on an interface, and allows the device to send ARP packets to the CPU again.
By default, a maximum of 100 ARP packets are allowed to pass per second, and the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limit is disabled.
Format
System view, VLAN view
arp anti-attack rate-limit packet packet-number [ interval interval-value ]
undo arp anti-attack rate-limit
Interface view
arp anti-attack rate-limit packet packet-number [ interval interval-value | block-timer timer ] *
undo arp anti-attack rate-limit
Parameters
Parameter |
Description |
Value |
|---|---|---|
packet packet-number |
Specifies the maximum rate of sending ARP packets, that is, the number of ARP packets allowed to pass through in the rate limiting duration. |
The value is an integer that ranges from 1 to 16384. The default value is 100. |
interval interval-value |
Specifies the rate limiting duration of ARP packets. |
The value is an integer that ranges from 1 to 86400, in seconds. The default value is 1 second. |
block-timer timer |
Specifies the duration for blocking ARP packets. |
The value is an integer that ranges from 5 to 864000, in seconds. |
Views
System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, port group view, Eth-Trunk interface view
Usage Guidelines
Usage Scenario
After rate limit on ARP packets is enabled, run the arp anti-attack rate-limit command to set the maximum rate and rate limiting duration of ARP packets globally, in a VLAN, or on an interface. In the rate limiting duration, if the number of received ARP packets exceeds the limit, the device discards the excess ARP packets.
If the parameter block-timer timer is specified, the device discards all ARP packets received in the duration specified by timer.
Prerequisites
Rate limit on ARP packets has been enabled globally, in a VLAN, or on an interface using the arp anti-attack rate-limit enable command.
Precautions
If the maximum rate and rate limiting duration are configured in the system view, VLAN view, and interface view at the same time, the device uses the configurations in the interface view, VLAN view, and system view in order.
This command can be configured on a maximum of 16 interfaces.
The arp anti-attack rate-limit command takes effect only on ARP packets sent to the CPU for processing in none-block mode, and does not affect ARP packet forwarding by the chip. In block mode, the device discards subsequent ARP packets on an interface only when the number of ARP packets sent to the CPU exceeds the limit.
Example
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60