Configuring ARP 575Introduction to ARPPacket Rate LimitIf an attacker sends a large number of ARP packets to a port of a switch, the CPUwill get overloaded, causing other functions to fail, and even the whole device tobreak down. To guard against such attacks, Switch 7750 Ethernet switchessupport the ARP packets rate limit function, which can disable the attacked portfrom receiving any packet temporarily, thus preventing serious impact on the CPU.With this function enabled on a port, the switch will count the ARP packetsreceived on the port within each second. If the number of ARP packets received onthe port per second exceeds the preconfigured value, the switch considers that theport is being attacked by ARP packets. In this case, the switch disables the portfrom receiving any packet, generates an alarm message, and logs the event. At thesame time, the switch continues to count the ARP packets on the port. If thenumber of received ARP packets remains under the preconfigured value for acertain period (port state auto-recovery interval), the port will revert to the Upstate.Switch 7750 Ethernet switches support configuring trusted ports for ARP packetrate limit. A switch does not count ARP packets or limit ARP packets received on atrusted port.Introduction to ARPSource SuppressionWith the ARP source suppression function, the switch classifies incoming ARPpackets and limits the maximum number of ARP packets with the same type thatcan be sent to the CPU in a time of time, so as to protect the CPU from beingattacked by illegal ARP packets generated by ARP scanning of a host to the wholenetwork.A Switch 7750 classifies incoming ARP packets into the following types:■ Arbitrary ARP packets, whose source/destination IP addresses are notdistinguished■ Pass-through ARP packets, whose source IP addresses are the same one anddestination IP addresses are not the IP address of the current switch■ Locally-terminated ARP packets, whose source IP addresses are the same oneand destination addresses are the IP address of the current switch.For each type, you can set the maximum number of ARP packets that can be sentto the CPU in a unit of time on the switch. When the number of ARP packetsreceived in a unit of time exceeds the corresponding setting, the switch will regardthe exceeding ones as illegal ARP packets and discard them.Configuring ARP ARP entries in a Switch 7750 can be one of two types; static or dynamic, asdescribed in Table 447.Table 447 ARP entryARP entry Generation method Maintenance methodStatic ARP entry Manually configured Manual maintenanceDynamic ARP entry Dynamically generated A dynamic ARP entry ages out when ARPaging timer expires.
