HP 6125G HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 245
Configuring ARP defense against IP packet attacks, Configuring ARP source suppression
View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 245 highlights
Task Configuring ARP automatic scanning and fixed ARP Configuring ARP gateway protection Configuring ARP filtering Remarks Optional. Configure this function on gateways (recommended). Optional. Configure this function on access devices (recommended). Optional. Configure this function on access devices (recommended). Configuring ARP defense against IP packet attacks If the device receives a large number of IP packets from a host addressed to unreachable destinations: • The device sends a large number of ARP requests to the destination subnets, and thus the load of the destination subnets increases. • The device keeps trying to resolve destination IP addresses, which increases the load on the CPU. To protect the device from IP packet attacks, you can enable the ARP source suppression function or ARP black hole routing function. If the packets have the same source address, you can enable the ARP source suppression function. With the function enabled, you can set a threshold for the number of ARP requests that a sending host can trigger in five seconds with packets with unresolvable destination IP addresses. When the number of ARP requests exceeds that threshold, the device suppresses the host from triggering any ARP requests in the following five seconds. If the packets have various source addresses, you can enable the ARP black hole routing function. After receiving an IP packet whose destination IP address cannot be resolved by ARP, the device with this function enabled immediately creates a black hole route and simply drops all packets matching the route during the aging time of the black hole route. Configuring ARP source suppression Step Command 1. Enter system view. system-view 2. Enable ARP source suppression. arp source-suppression enable 3. Set the maximum number of packets with the same source IP address but unresolvable arp source-suppression limit destination IP addresses that the device can limit-value receive in five consecutive seconds. Remarks N/A Disabled by default. Optional. 10 by default. Enabling ARP black hole routing 235