2-2Configuring ARP Source SuppressionIntroduction to ARP Source SuppressionIf a device receives large numbers of IP packets from a host to unreachable destinations,z The device sends large numbers of ARP requests to the destination subnets, which increases theload of the destination subnets.z The device continuously resolves destination IP addresses, which increases the load of the CPU.To protect the device from such attacks, you can enable the ARP source suppression function. With thefunction enabled, whenever the number of ARP requests triggered by the packets with unresolvabledestination IP addresses from a host within five seconds exceeds a specified threshold, the devicesuppresses the sending host from triggering any ARP requests within the following five seconds.Configuring ARP Source SuppressionFollow these steps to configure ARP source suppression:To do… Use the command… RemarksEnter system view system-view —Enable ARP source suppression arp source-suppressionenableRequiredDisabled by default.Set the maximum number of packets with thesame source IP address but unresolvabledestination IP addresses that the device canreceive in five consecutive secondsarp source-suppressionlimit limit-valueOptional10 by default.Displaying and Maintaining ARP Source SuppressionTo do… Use the command… RemarksDisplay the ARP source suppressionconfiguration informationdisplay arpsource-suppression Available in any viewConfiguring ARP Active AcknowledgementIntroduction to ARP Active AcknowledgementTypically, the ARP active acknowledgement feature is configured on gateway devices to identify invalidARP packets.ARP active acknowledgement works before the gateway modifies an ARP entry to prevent an incorrectARP entry being generated. For details about the working mechanism, refer to ARP Attack ProtectionTechnology White Paper.Configuring ARP Active AcknowledgementFollow these steps to configure ARP active acknowledgement: