Operation Manual – ARPH3C S7500E Series Ethernet Switches Chapter 1 ARP Configuration1-8z The device sends large amounts of ARP request messages to the destinationsubnet, which increases the load of the destination subnet.z The device continuously resolves destination IP addresses, which increase theload of the CPU.To protect the device against this kind of attack, you can enable the ARP sourcesuppression function. With the function enabled, whenever the number of packets withunresolvable IP addresses that a host on the network sends to the device within fiveseconds exceeds the specified threshold, the device drops all subsequent packets withthe same source IP address in another five coming seconds. This helps in protectingthe device against the attack.1.4.2 Configuring ARP Source SuppressionFollow these steps to configure ARP source suppression:To do… Use the command… RemarksEnter system view system-view —Enable ARP sourcesuppressionarp source-suppressionenableRequiredDisabled by default.Set the maximum number ofpackets with the same source IPaddress but unresolvabledestination IP addresses thatthe device can receive in fivesecondsarp source-suppressionlimit limit-valueOptional10 by default.1.5 Configuring ARP Defense Against IP Packet Attack1.5.1 Introduction to ARP Defense Against IP Packet AttackIn forwarding an IPv4 packet, a device depends on ARP to resolve the MAC address ofthe next hop. If the address resolution is successful, the forwarding chip forwards thepacket directly. Otherwise, the device runs software for further processing. When largeamounts of IP packets for which ARP cannot resolve the IP addresses of the next hopsarrive at a device, the software on the device will be called again and again and theCPU of the device will be overburdened. This is called IP packet attack.To protect a device against IP packet attack, you can configure the ARP defenseagainst IP packet attack function. After receiving an IP packet with the IP address of thenext hop unreachable (an IP packet that ARP cannot resolve the MAC address of thenext hop), a device with this function creates a black hole route immediately and theforwarding chip simply drops all packets to the address. Note that a black hole routecan get aged, in which case a subsequent IP packet with the same next hop triggers the
