1-2Task RemarksConfiguring ARP Packet Source MACAddress Consistency CheckOptionalConfigure this function on gateways(recommended).Configuring ARP Active AcknowledgementOptionalConfigure this function on gateways(recommended).User andgatewayspoofingpreventionConfiguring ARP DetectionOptionalConfigure this function on accessdevices (recommended).Configuring ARP Defense Against IP Packet AttacksIntroductionIf a device receives large numbers of IP packets from a host to unreachable destinations,z The device sends large numbers of ARP requests to the destination subnets, which increases theload of the destination subnets.z The device keeps trying to resolve destination IP addresses, which increases the load of the CPU.To protect the device from IP packet attacks, you can enable the ARP source suppression function orARP black hole routing function.If the packets have the same source address, you can enable the ARP source suppression function.With the function enabled, whenever the number of ARP requests triggered by the packets withunresolvable destination IP addresses from a host within five seconds exceeds a specified threshold,the device suppresses the sending host from triggering any ARP requests within the following fiveseconds.If the packets have various source addresses, you can enable the ARP black hole routing function. Afterreceiving an IP packet whose destination IP address cannot be resolved by ARP, the device with thisfunction enabled immediately creates a black hole route and simply drops all packets matching theroute during the aging time of the black hole route.Configuring ARP Source SuppressionFollow these steps to configure ARP source suppression:To do… Use the command… RemarksEnter system view system-view —Enable ARP source suppression arp source-suppression enable RequiredDisabled by default.Set the maximum number of packetswith the same source IP address butunresolvable destination IPaddresses that the device canreceive in five consecutive secondsarp source-suppression limitlimit-valueOptional10 by default.