213• ARP source suppression—If the attack packets have the same source address, you can enable theARP source suppression function, and set the maximum number of unresolvable IP packets that thedevice can receive from a host within 5 seconds. If the threshold is reached, the device stopsresolving packets from the host until the 5 seconds elapse.• ARP blackhole routing—You can enable the ARP blackhole routing function regardless of whetherthe attack packets have the same source address. After receiving an unresolvable IP packet, thedevice creates a blackhole route destined for that IP address and drops all the matching packetsuntil the blackhole route ages out.Configuring ARP source suppressionStep Command Remarks1. Enter system view. system-view N/A2. Enable ARP source suppression. arp source-suppressionenableBy default, ARP source suppression isdisabled.3. Set the maximum number ofunresolvable packets that thedevice can receive from a hostwithin 5 seconds.arp source-suppressionlimit limit-value By default, the maximum number is 10.Enabling ARP blackhole routingStep Command Remarks1. Enter system view. system-view N/A2. Enable ARP blackhole routing. arp resolving-route enable By default, ARP blackhole routingis enabled.Displaying and maintaining unresolvable IP attack protectionExecute display commands in any view.Task CommandDisplay ARP source suppression configuration information. display arp source-suppressionConfiguration exampleNetwork requirementsAs shown in Figure 68, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN20. Each area connects to the gateway (Device) through an access switch.A large number of ARP requests are detected in the office area and are considered as the consequenceof an unresolvable IP attack. To prevent such attacks, configure ARP source suppression and ARPblackhole routing.