< Home

arp speed-limit source-mac

Function

The arp speed-limit source-mac command sets the maximum rate of ARP packets based on source MAC addresses.

The undo arp speed-limit source-mac command restores the default setting.

By default, the maximum rate of ARP packets from each source MAC address is set to 0, that is, the rate of ARP packets is not limited based on source MAC addresses.

Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this command.

Format

arp speed-limit source-mac [ mac-address ] maximum maximum

undo arp speed-limit source-mac [ mac-address ]

Parameters

Parameter

Description

Value

mac-address

Specifies the source MAC address. If this parameter is specified, the rate of ARP packets from the MAC address is limited.

If this parameter is not specified, the rate of ARP packets from each MAC address is limited.

The value is in the H-H-H format. H is a hexadecimal number of 1 to 4 digits.

maximum maximum

Specifies the maximum rate of ARP packets from a specified MAC address.
The integer form, in pps, is as follows:
  • S5720-EI, S5731-S, and S5731S-S: 0 to 16384
  • S5720-HI, S5730-HI, S5731-H, and S5731S-H: 0 to 61440
  • S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S: 0 to 65536
  • S6720-EI and S6720S-EI: 0 to 131072
  • S5735-L, S5735S-L, S5735S-L-M: 0 to 4096
  • S5735-S, S5735S-S, S5735-S-I: 0 to 8180

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When processing a large number of ARP packets with fixed source MAC addresses but variable source IP addresses, the CPU is overloaded and ARP entries are exhausted. To prevent this problem, limit the rate of ARP packets based on source MAC addresses.

After the arp speed-limit source-mac command is run, the device collects statistics on ARP packets from a specified source MAC address. If the number of ARP packets from a specified source IP address per second exceeds the threshold, the device discards the excess ARP packets.

Precautions

Limiting the rate of all ARP packets is not recommended. You are advised to find out the attack source according to packet statistics, and then limit the rate of ARP packets from the specified source MAC address.

If the source MAC address is not specified, the rate of ARP packets from each MAC address is limited. If the rate of ARP packets from each source IP address is set using the arp speed-limit source-ip command at the same time and the rate is the same as that set using the arp speed-limit source-mac command, both commands take effect. When receiving ARP packets from a fixed source, the device limits the rate of these packets based on the maximum rate set by the arp speed-limit source-mac command.

After the optimized ARP reply function (disabled by default) is enabled using the undo arp optimized-reply disable command, rate limiting on ARP packets based on the source MAC address does not take effect.

Example

# Set the maximum rate of ARP packets from any source MAC address to 100 pps.

<HUAWEI> system-view
[HUAWEI] arp speed-limit source-mac maximum 100

# Set the maximum rate of ARP packets from a specified MAC address 0-0-1 to 50 pps.

<HUAWEI> system-view
[HUAWEI] arp speed-limit source-mac 0-0-1 maximum 50
Parent Topic: ARP Security Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >