The arp speed-limit source-ip command sets the maximum rate of ARP packets based on the source IP address.
The undo arp speed-limit source-ip command restores the default setting.
By default, the device allows a maximum of 30 ARP packets from the same source IP address to pass through per second.
arp speed-limit source-ip [ ip-address ] maximum maximum
undo arp speed-limit source-ip [ ip-address ]
Parameter |
Description |
Value |
|---|---|---|
ip-address |
Specifies the source IP address. If this parameter is specified, the rate of ARP packets from the IP address is limited. If this parameter is not specified, the rate of ARP packets from each IP address is limited. |
The value is in dotted decimal notation. |
maximum maximum |
Specifies the maximum rate of ARP packets from a specified source IP address. NOTE:
If the rate of all ARP packets is limited, a large value is recommended because valid packets may be discarded if the value is small. However, a too large value will deteriorate the system performance. If an IP address initiates attacks, you can set the maximum number of ARP Miss messages triggered by packets from this IP address to a small value. |
The integer form, in pps, is as follows:
|
Usage Scenario
When processing a large number of ARP packets with fixed IP addresses (for example, the ARP packets with the same source IP addresses but frequently changing MAC addresses or outbound interfaces), the CPU is overloaded and cannot process other services. To prevent this problem, limit the rate of ARP packets based on the source IP address.
After the arp speed-limit source-ip command is run, the device collects statistics on ARP packets based on the source IP address. If the number of ARP packets from a specified source IP address per second exceeds the threshold, the device discards the excess ARP packets.
Precautions
Limiting the rate of all ARP packets is not recommended. You are advised to find out the attack source according to packet statistics, and then limit the rate of ARP packets from the specified source IP address.
When you confirm that the network is secure, set the rate limit to 0 to increase ARP learning speed. After the rate limit is set to 0, the device does not limit the ARP packet rate based on source IP addresses.
If the source IP address is not specified, the rate of ARP packets from each IP address is limited. If the rate of ARP packets from each source MAC address is set using the arp speed-limit source-mac command at the same time and the rate is the same as that set using the arp speed-limit source-ip command, both commands take effect. When receiving ARP packets from a fixed source, the device limits the rate of these packets based on the maximum rate set by the arp speed-limit source-mac command.
After the optimized ARP reply function (disabled by default) is enabled using the undo arp optimized-reply disable command, rate limiting on ARP packets based on the source IP address does not take effect.
# Set the maximum rate of ARP packets from a source IP address to 100 pps.
<HUAWEI> system-view [HUAWEI] arp speed-limit source-ip maximum 100
# Set the maximum rate of ARP packets from a specified IP address 10.0.0.1 to 50 pps.
<HUAWEI> system-view [HUAWEI] arp speed-limit source-ip 10.0.0.1 maximum 50