4-14 ARP Attack Defense ConfigurationWhen configuring ARP attack defense, go to these sections for information you are interested in:z Configuring ARP Source Suppressionz Configuring ARP Defense Against IP Packet Attacksz Configuring ARP Active Acknowledgementz Configuring Source MAC Address Based ARP Attack Detectionz Configuring ARP Packet Source MAC Address Consistency Checkz Configuring ARP Packet Rate Limitz Configuring ARP DetectionAlthough ARP is easy to implement, it provides no security mechanism and thus is prone to networkattacks. Currently, ARP attacks and viruses are threatening LAN security. The device can providemultiple features to detect and prevent such attacks. This chapter mainly introduces these features.Configuring ARP Source SuppressionIntroduction to ARP Source SuppressionIf a device receives large numbers of IP packets from a host to unreachable destinations,z The device sends large numbers of ARP requests to the destination subnets, which increases theload of the destination subnets.z The device continuously resolves destination IP addresses, which increases the load of the CPU.To protect the device from such attacks, you can enable the ARP source suppression function. Withthe function enabled, whenever the number of packets with unresolvable destination IP addressesfrom a host within five seconds exceeds a specified threshold, the device suppresses the sending hostfrom triggering any ARP requests within the following five seconds.Configuring ARP Source SuppressionFollow these steps to configure ARP source suppression:To do… Use the command… RemarksEnter system view system-view —Enable ARP source suppression arp source-suppression enable RequiredDisabled by default.Set the maximum number of packetswith the same source IP address butunresolvable destination IPaddresses that the device canreceive in five consecutive secondsarp source-suppression limitlimit-valueOptional10 by default.