How to configure a rate limit for ARP packets on an AR router

If a router processes a great number of ARP packets at the same time, the CPU may be overloaded and then fails to process other services. Before the processing, set a rate limit for ARP packets on the router to protect CPU resources.
The router supports the rate limit function based on source MAC addresses or source IP addresses of packets, super VLAN, global ARP packets, or ARP packets transmitted over a specified interface.
(1) Configure a rate limit for ARP packets according to a source MAC address.
a. Access the system view, and run the arp speed-limit source-mac maximum command to configure a rate limit for ARP packets according to any source MAC address.
b. Run the arp speed-limit source-mac mac-address maximum command to configure a rate limit for ARP packets for users with a specified MAC address.
If both the configurations are available, when the source MAC address in the ARP packets matches the specified MAC address, the rate limit for the ARP packets is the maximum value of the configuration in step b. Otherwise, the rate limit is the maximum value of the configuration in step a. By default, the router sets the rate limit for ARP packets containing any source MAC address to 0. That is, the router does not limit the rate of ARP packets according to the source MAC address.
(2) Configure a rate limit for ARP packets according to a source IP address.
a. Access the system view, and run the arp speed-limit source-ip maximum command to configure a rate limit for ARP packets according to any source IP address.
b. Run the arp speed-limit source-ip ip-address maximum command to configure a rate limit for ARP packets for users with a specified IP address.
If both the configurations are available, when the source IP address in the ARP packets matches the specified IP address, the rate limit for the ARP packets is the maximum value of the configuration in step b. Otherwise, the rate limit is the maximum value of the configuration in step a. By default, the router allows a maximum of five ARP packets (with the same source IP address) to be released within one second.
(3) Configure a global rate limit for ARP packets and a rate limit for ARP packets transmitted over a specified interface.
Access the system view, and run the interface interface-type interface-number command to access the interface view. Run the arp anti-attack rate-limit enable command to enable the ARP packet rate limit function. (Optional) Run the arp anti-attack rate-limit packet-number [ interval-value ] to configure a rate limit and time of ARP packets. Run the arp anti-attack rate-limit alarm enable command to enable the ARP packet discard alarm function. (Optional) Run the arp anti-attack rate-limit alarm threshold threshold command to configure an ARP packet discard alarm threshold.
(4) Configure a rate limit for ARP packets for the VLANIF interface of a super VLAN.
Access the system view, and run the arp speed-limit flood-rate rate command to configure a broadcast transmission rate limit for ARP request packets under the VLANIF interfaces of all super VLANs.

Scroll to top