Configuring ARP VLAN CAR

ARP VLAN CAR allows you to limit the rate of ARP packets on the attacked interface without affecting other interfaces. This minimizes the impact of attacks on devices and services. After the alarm function is enabled for ARP VLAN CAR and the number of ARP packets to be sent to the CPU exceeds the threshold configured for ARP VLAN CAR, an alarm is reported.

Context

Configure ARP VLAN CAR on interfaces of the router

In VS mode, this feature is supported only by the admin VS.

Procedure

Run system-view
The system view is displayed.
Run slot slot-id
The slot view is displayed.
Run undo alarm drop-rate arp-vlan-car disable
The alarm function is enabled for ARP VLAN CAR.
Run quit
Return to the system view.
Run interface interface-type interface-number [ .sub-interface-number ]
The interface view is displayed.
Run arp rate-limit rate
The rate limit of ARP VLAN CAR for ARP packets on an interface is configured.

If you configure a rate limit (1024 pps, for example) which is larger than the default rate limit of CP-CAR, the configured ARP VLAN CAR cannot take effect. CP-CAR can be configured by running the car arp cir cir-value command. For details, see Configuring the CAR. The configuration of CP-CAR can be checked by running the display cpu-defend car information command.
Run quit
Return to the system view.
(Optional) Set the percentage of the bandwidth of level-2 CAR for ARP VLAN CAR in the bandwidth of CP-CAR for the ARP packets.
1. Run slot slot-id
  The slot view is displayed.
2. Run arp attack rate-limit-percent rate-value
  The percentage of the bandwidth of level-2 CAR for ARP VLAN CAR in the bandwidth of CP-CAR for ARP protocol packets is configured.
3. Run quit
  Return to the system view.
Run commit
The configuration is committed.