Enabling invalid spi recovery, Setting the maximum number of ike sas, Configuring arp source suppression – H3C Technologies H3C S12500-X Series Switches User Manual

217

•

ARP source suppression—Stops resolving packets from a host if the upper limit on unresolvable IP

packets from the host is reached within an interval of 5 seconds. The device continues ARP
resolution when the interval elapses. This feature is applicable if the attack packets have the same

source addresses.

•

ARP blackhole routing—Creates a blackhole route destined for an unresolvable IP address. The
device drops all matching packets until the blackhole route ages out. This feature is applicable

regardless of whether the attack packets have the same source addresses.

298B

Configuring ARP source suppression

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable ARP source suppression.

arp source-suppression
enable

By default, ARP source suppression is
disabled.

3.

Set the maximum number of
unresolvable packets that the

device can receive from a host

within 5 seconds.

arp source-suppression
limit limit-value

By default, the maximum number is 10.

299B

Enabling ARP blackhole routing

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable ARP blackhole routing.

arp resolving-route enable

By default, ARP blackhole routing
is enabled.

300B

Displaying and maintaining unresolvable IP attack protection

Execute display commands in any view.

Task Command

Display ARP source suppression configuration information. display arp source-suppression

301B

Configuration example

526B

Network requirements

As shown in

930H

Figure 68

, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN

20. Each area connects to the gateway (Device) through an access switch.
A large number of ARP requests are detected in the office area and are considered as the consequence

of an unresolvable IP attack. To prevent such attacks, configure ARP source suppression and ARP

blackhole routing.