Configuring Rate Limiting on ARP Miss Messages based on Source IP Addresses

Context

If a network device is flooded with IP packets that contain unresolvable destination IP addresses, the device generates a large number of ARP Miss messages. This is because the device has no ARP entry that matches the next hop of the route. IP packets triggering ARP Miss messages are sent to the device for processing. The device generates a large number of temporary ARP entries and sends many ARP Request packets to the network, consuming considerable CPU and bandwidth resources.

If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the device considers that an attack has been initiated from the source IP address.

If the ARP Miss packet processing mode is set to block, the CPU of the device discards excess ARP Miss messages (that is, discard the ARP Miss packets that trigger ARP Miss messages) and delivers an ACL to discard all subsequent ARP Miss packets that are sent from this source IP address. This block mode occupies the limited ACL resources of the devices. If the ARP Miss packet processing mode is set to none-block, the CPU discards excess ARP Miss messages but does not deliver an ACL. This none-block mode mitigates the pressure on the CPU.

The maximum rate of ARP Miss messages and ARP Miss packet processing mode can be set based on the actual network environment.

Only the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720-LI, S6720S-EI, S6720S-LI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this function.

Perform the following steps on the gateway.

Procedure

Run system-view
The system view is displayed.
Configure rate limiting on ARP Miss messages based on source IP addresses.
- Run arp-miss speed-limit source-ip maximum maximum
  The maximum rate of ARP Miss messages triggered by IP packets from any source IP address is set.
- Run arp-miss speed-limit source-ip ip-address [ mask mask ] maximum maximum [ none-block | block timer timer ]
  The maximum rate of ARP Miss messages triggered by IP packets from the specified IP address is set, and ARP Miss packet processing mode is specified.
  
  Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support [ none-block | block timer timer ].
When the preceding configurations are both performed, the maximum rate set using the arp-miss speed-limit source-ip ip-address [ mask mask ] maximum maximum [ none-block | block timer timer ] command takes effect on ARP Miss messages triggered by IP packets from the specified source IP address, and the maximum rate set using the arp-miss speed-limit source-ip maximum maximum command takes effect on ARP Miss messages triggered by IP packets from other source IP addresses.

If the maximum rate of ARP Miss messages is set to 0, ARP Miss messages are not rate-limited based on source IP addresses. By default, the device accepts a maximum of 500 ARP Miss messages triggered by IP packets from the same source IP address per second.

If the number of ARP Miss messages triggered by IP packets from the same source IP address per second exceeds the limit, the device discards the excess ARP Miss packets. By default, a device uses the block mode to discard all subsequent ARP Miss packets from the source IP address within five minutes.