ARP learning rate limiting on S series switch

5

The S series switches, except S1700, use different ARP learning rates:
S series fixed switches:
The default CIR value for ARP request and reply packets is 64. Assume that the packet length is 60 bytes. The ARP learning rate can reach 100 pps. When the CIR value is increased to 500, the rate can reach 200 pps, with the CPU usage lower than 60%.
The rate of ARP learning triggered by ARP Miss packets is lower than 50 pps. The tested rate is 30 pps.
S series modular switches:
A test assumes that the default CPCAR settings (128 kbps for MPU and 64 kbps for LPU) are used, the CPU usage is lower than 50%, and the packet length is 60 bytes. The tested rate of ARP request and reply packets is 100 pps. When the CPCAR values are increased, the rate of received ARP request packets is 1000 pps and the rate of received ARP reply packets is 500 pps.
The rate of ARP learning triggered by ARP Miss packets is lower than 50 pps. The tested rate is 30 pps.

Other related questions:
ARP rate limiting on S series switch
An S series switch, except S1700, can limit the rate of ARP packets and ARP Miss messages. When the switch receives many ARP packets, configure ARP packet rate limiting to prevent CPU overloading. When the switch receives many IP packets of which the destination IP addresses cannot be resolved, the switch generates a large number of ARP Miss messages, delivers temporary ARP entries and sends may ARP request packets to the destination network. This increases CPU load and consumes bandwidth. To avoid IP packet attacks, configure ARP Miss rate limiting on the switch.

How to configure ARP packet rate limit on S series switcheses
For S series switcheses (except S1700 switches): You can configure the rate limit on ARP packets in one of the following methods as required: - Limiting the rate on ARP packets based on source MAC addresses (supported by the S5720EI, S5720HI, S6720EI, and all S series modular switches, but not supported by E series switches) # Set the maximum rate of ARP packets from the specified MAC address 0-0-1 to 50 pps. [HUAWEI] arp speed-limit source-mac 0-0-1 maximum 50 - Limiting the rate on ARP packets based on source IP addresses # Set the maximum rate of ARP packets from the specified IP address 10.0.0.1 to 50 pps. [HUAWEI] arp speed-limit source-ip 10.0.0.1 maximum 50 Limiting the rate on ARP packets globally, in a VLAN, or on an interface # Configure Layer 2 interface GE0/0/1 to allow 200 ARP packets to pass through in 10 seconds, and to discard all ARP packets in 60 seconds when the number of ARP packets exceeds the limit. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60 - Limiting the rate on ARP packets on a VLANIF interface of a super-VLAN # Set the maximum rate of broadcasting ARP Request packets on VLANIF interfaces in all super-VLANs to 500 pps. [HUAWEI] arp speed-limit flood-rate 500

How to configure ARP Miss message rate limit on S and E series switches
For S and E series switches (except S1700 switches): You can configure the rate limit on ARP Miss messages in one of the following methods as required (supported by the S5720SI/S5720S-SI, S5720EI, S5720HI, S6720EI, and all S series modular switches, but not supported by E series switches): - Limiting the rate on ARP Miss messages based on source IP addresses # Set the maximum number of ARP Miss messages triggered by the IP address 10.0.0.1 to 100, and by other source IP addresses to 60. [HUAWEI] arp-miss speed-limit source-ip maximum 60 [HUAWEI] arp-miss speed-limit source-ip 10.0.0.1 maximum 100 - Limiting the rate on ARP Miss messages globally, in a VLAN, or on an interface # Configure the device to process a maximum of 200 ARP Miss messages triggered by IP packets from the Layer 2 interface GE0/0/1 in 10 seconds. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable [HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit packet 200 interval 10

Reason why S series switch cannot learn ARP entries
When an S series switch, except S1700, works at Layer 2, the switch does not have ARP entries and cannot learn ARP entries. When an S series switch, except S1700, works at Layer 3 and cannot learn ARP entries, rectify the fault as follows: (1) Possible cause: The link between the switch and connected device fails. Solution: Perform ping operations to check whether the link fails. If so, rectify the link failure. (2) Possible cause: ARP strict learning is enabled on the switch. (After this function is enabled, the switch learns only the ARP reply packets in response to the ARP request packets sent by itself.) Solution: Run the undo arp learning strict command in the system or interface view to disable ARP strict learning. (3) Possible cause: The switch has too many ARP entries and may suffer an ARP attack. Solution: Configure static ARP entries for key servers or users and enable attack defense policies. Note: (1) By default, ARP strict learning is enabled on some models among fixed switches and disabled on modular switches. When a fixed switch connected to a modular switch receives a gratuitous ARP packet, the fixed switch does not learn ARP entries. Therefore, some fixed switches cannot learn ARP entries. (2) After ARP strict learning is enabled on a switch, the switch actively sends ARP request packets to hosts. Some PCs with wireless network adapters installed do not respond to ARP requests, so the switch cannot learn the ARP entries of the connected PCs. The PCs respond only after the network adapters are restarted. In this situation, disable ARP strict learning.

Strict ARP learning is enabled on S series switches, and the user has learned the switch's ARP entry. Why cannot the switch learn the user ARP entry by pinging the user
For S series switches: After strict ARP learning is enabled, the switch learns ARP entries only from the Reply packet sent in response to locally originated ARP Request packets. The firewall installed on the PC may prevent the PC from sending ARP Reply packets when receiving ARP Request packets, or the NIC on the computer cannot return ARP Reply packets. In this case, the switch cannot receive ARP Reply packets no matter whether the switch sends ping packets to the user or the user sends data packets to the switch to trigger ARP Miss messages. Therefore, the switch cannot learn the user's ARP entry. If this problem occurs on only a few users, configure static ARP entries for the users; if the problem happens on most users, disable strict ARP learning on the switch.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top