Configuring Rate Limiting on ARP Packets Globally, in a VLAN, or on an Interface
Context
When processing a large number of ARP packets, a device consumes many CPU resources and cannot process other services. To protect CPU resources of the device, rate—limit ARP packets.
Rate-limiting ARP packets globally: limits the number of ARP packets processed on the entire device.
Rate-limiting ARP packets in a VLAN: limits the number of ARP packets to be processed on all interfaces in a VLAN. The configuration in a VLAN does not affect ARP entry learning on interfaces in other VLANs.
Rate-limiting ARP packets on an interface: limits the number of ARP packets processed on an interface. The configuration on an interface does not affect ARP entry learning on other interfaces.
If the maximum rate and rate limiting duration are configured in the system view, VLAN view, and interface view at the same time, the device uses the configurations in the interface view, VLAN view, and system view, in that order.
If you want the device to generate alarms to notify the network administrator of a large number of discarded excess ARP packets, enable the alarm function. When the number of discarded ARP packets exceeds the alarm threshold, the device generates an alarm.
MAC-Forced Forwarding (MFF) may increase the load on an access device's CPU. This is because the MFF module may forward too many ARP packets whose destination IP addresses are different from the IP address of the interface receiving these packets. To resolve this problem, rate-limit ARP packets globally, in a VLAN, or on an interface.
Perform the following steps on the gateway.
Procedure
- Run system-view
The system view is displayed.
- (Optional) Run interface interface-type interface-number or vlan vlan-id
The interface or VLAN view is displayed.
If you configure rate limiting on ARP packets in the system view, skip the preceding step.
- (Optional) On an Ethernet interface, run undo portswitch
The interface is switched to Layer 3 mode.
By default, an Ethernet interface works in Layer 2 mode.
Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support switching between Layer 2 and Layer 3 modes.
- Run arp anti-attack rate-limit enable
Rate limiting on ARP packets is enabled.
After the optimized ARP reply function (disabled by default) is enabled using the undo arp optimized-reply disable command, rate limiting on ARP packets globally, in a VLAN, or on an Interface does not take effect.
By default, rate limiting on ARP packets is disabled.
- Run arp anti-attack rate-limit packet packet-number [ interval interval-value | block-timer timer ] *
The maximum rate and rate limiting duration for ARP packets are set, and the function to discard all ARP packets received from the interface when the rate of ARP packets exceeds the limit (block mode) is enabled.
The system view and VLAN view do not support block timer timer.
By default, a maximum of 100 ARP packets are allowed to pass per second, and the function to discard all ARP packets received from the interface when the rate of ARP packets exceeds the limit is disabled.
This command can be configured on 16 interfaces.
The arp anti-attack rate-limit command takes effect only on ARP packets sent to the CPU for processing in none-block mode, and does not affect ARP packet forwarding by the chip. In block mode, the device discards subsequent ARP packets on an interface only when the number of ARP packets sent to the CPU exceeds the limit.
- (Optional) Run arp anti-attack rate-limit alarm enable
The alarm function for discarded ARP packets when the rate of ARP packets exceeds the limit is enabled.
By default, the alarm function for ARP packets discarded when the rate of ARP packets exceeds the limit is disabled.
- (Optional) Run arp anti-attack rate-limit alarm threshold threshold
The alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit is set.
By default, the alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit is 100.