HP 6125G HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 247
Configuration considerations, Configuration procedure, Configuring ARP packet rate limit, Introduction
 |
View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 247 highlights
Configuration considerations If the attacking packets have the same source address, you can enable the ARP source suppression function with the following steps: 1. Enable ARP source suppression. 2. Set the threshold for ARP packets from the same source address to 100. If the number of ARP requests sourced from the same IP address in five seconds exceeds 100, the device suppresses the IP packets sourced from this IP address from triggering any ARP requests within the following five seconds. If the attacking packets have different source addresses, enable the ARP black hole routing function on the device. Configuration procedure 1. Enable ARP source suppression on the device and set the threshold for ARP packets from the same source address to 100. system-view [Device] arp source-suppression enable [Device] arp source-suppression limit 100 2. Enable ARP black hole routing on the device. system-view [Device] arp resolving-route enable Configuring ARP packet rate limit Introduction The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU on a switch. For example, if an attacker sends a large number of ARP packets to an ARP detection enabled device, the CPU of the device will be overloaded because all of the ARP packets are redirected to the CPU for checking. As a result, the device fails to deliver other functions properly or even crashes. To solve this problem, you can configure ARP packet rate limit. Enable this feature after the ARP detection, ARP snooping, or MFF feature is configured, or use this feature to prevent ARP flood attacks. Configuration procedure To configure ARP packet rate limit: Step 1. Enter system view. 2. Enter Layer 2 Ethernet interface/Layer 2 aggregate interface view. 3. Configure ARP packet rate limit. Command system-view interface interface-type interface-number arp rate-limit { disable | rate pps drop } Remarks N/A N/A By default, the ARP packet rate limit is enabled and is 100 pps. 237
-
1 -
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242 -
243 -
244 -
245 -
246 -
247 -
248 -
249 -
250 -
251 -
252 -
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
 |
 |
