How to configure a rate limit for ARP packets on an AR router

8

If a router processes a great number of ARP packets at the same time, the CPU may be overloaded and then fails to process other services. Before the processing, set a rate limit for ARP packets on the router to protect CPU resources.
The router supports the rate limit function based on source MAC addresses or source IP addresses of packets, super VLAN, global ARP packets, or ARP packets transmitted over a specified interface.
(1) Configure a rate limit for ARP packets according to a source MAC address.
a. Access the system view, and run the arp speed-limit source-mac maximum command to configure a rate limit for ARP packets according to any source MAC address.
b. Run the arp speed-limit source-mac mac-address maximum command to configure a rate limit for ARP packets for users with a specified MAC address.
If both the configurations are available, when the source MAC address in the ARP packets matches the specified MAC address, the rate limit for the ARP packets is the maximum value of the configuration in step b. Otherwise, the rate limit is the maximum value of the configuration in step a. By default, the router sets the rate limit for ARP packets containing any source MAC address to 0. That is, the router does not limit the rate of ARP packets according to the source MAC address.
(2) Configure a rate limit for ARP packets according to a source IP address.
a. Access the system view, and run the arp speed-limit source-ip maximum command to configure a rate limit for ARP packets according to any source IP address.
b. Run the arp speed-limit source-ip ip-address maximum command to configure a rate limit for ARP packets for users with a specified IP address.
If both the configurations are available, when the source IP address in the ARP packets matches the specified IP address, the rate limit for the ARP packets is the maximum value of the configuration in step b. Otherwise, the rate limit is the maximum value of the configuration in step a. By default, the router allows a maximum of five ARP packets (with the same source IP address) to be released within one second.
(3) Configure a global rate limit for ARP packets and a rate limit for ARP packets transmitted over a specified interface.
Access the system view, and run the interface interface-type interface-number command to access the interface view. Run the arp anti-attack rate-limit enable command to enable the ARP packet rate limit function. (Optional) Run the arp anti-attack rate-limit packet-number [ interval-value ] to configure a rate limit and time of ARP packets. Run the arp anti-attack rate-limit alarm enable command to enable the ARP packet discard alarm function. (Optional) Run the arp anti-attack rate-limit alarm threshold threshold command to configure an ARP packet discard alarm threshold.
(4) Configure a rate limit for ARP packets for the VLANIF interface of a super VLAN.
Access the system view, and run the arp speed-limit flood-rate rate command to configure a broadcast transmission rate limit for ARP request packets under the VLANIF interfaces of all super VLANs.

Other related questions:
How to configure ARP packet rate limit on S series switcheses
For S series switcheses (except S1700 switches): You can configure the rate limit on ARP packets in one of the following methods as required: - Limiting the rate on ARP packets based on source MAC addresses (supported by the S5720EI, S5720HI, S6720EI, and all S series modular switches, but not supported by E series switches) # Set the maximum rate of ARP packets from the specified MAC address 0-0-1 to 50 pps. [HUAWEI] arp speed-limit source-mac 0-0-1 maximum 50 - Limiting the rate on ARP packets based on source IP addresses # Set the maximum rate of ARP packets from the specified IP address 10.0.0.1 to 50 pps. [HUAWEI] arp speed-limit source-ip 10.0.0.1 maximum 50 Limiting the rate on ARP packets globally, in a VLAN, or on an interface # Configure Layer 2 interface GE0/0/1 to allow 200 ARP packets to pass through in 10 seconds, and to discard all ARP packets in 60 seconds when the number of ARP packets exceeds the limit. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60 - Limiting the rate on ARP packets on a VLANIF interface of a super-VLAN # Set the maximum rate of broadcasting ARP Request packets on VLANIF interfaces in all super-VLANs to 500 pps. [HUAWEI] arp speed-limit flood-rate 500

Why is the rate limit for ICMP packets configured on an interface card inconsistent with the actual rate limit
An AR router implements rate limit to Layer 3 unicast packets by converting the number of packets into the number of bytes. ICMP packets are converted based on 84 bytes per packet. For example, if the rate limit configured for ICMP packets is 10, then the actual rate limit is calculated as 84 x 10 = 840 byte/s. If the actual packet length is not equal to 84 bytes, the actual rate limit will deviate from the configured value.

ARP rate limiting on S series switch
An S series switch, except S1700, can limit the rate of ARP packets and ARP Miss messages. When the switch receives many ARP packets, configure ARP packet rate limiting to prevent CPU overloading. When the switch receives many IP packets of which the destination IP addresses cannot be resolved, the switch generates a large number of ARP Miss messages, delivers temporary ARP entries and sends may ARP request packets to the destination network. This increases CPU load and consumes bandwidth. To avoid IP packet attacks, configure ARP Miss rate limiting on the switch.

How to delete the rate limiting configuration from an interface
1. Log in to the web system, and choose QoS > Interface Rate Limit to access the parameter configuration page for interface-based rate limiting. On the Interface Rate Limit List toolbar, select the check box of the interface from which the rate limiting configuration is to be deleted, and click Delete. Click OK in the displayed dialog box. The rate limiting configuration is deleted from on the interface. 2. Using commands: You can also run the undo command to delete configurations from the interface to which a traffic policy is applied or the interface with rate limiting configured.

How do I limit the rate of packets on a network segment
1. Configure an ACL to match the network segment on which the rate of packets needs to be limited. # acl number 2000 //Configure ACL 2000. rule 0 permit source 192.168.1.0 0.0.0.255 //Configure rule 0 to allow packets from 192.168.1.0 network segment to pass through. # 2. Configure the internal interface to limit the rate of data flows. # interface GigabitEthernet3/0/0 ip address 192.168.1.1 255.255.255.0 qos car inbound acl 2000 cir 512 cbs 32000 pbs 432000 green pass yellow pass red discard //Configure traffic policing for packets that match ACL 2000 and set the CIR to 512 kbit/s. #

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top