When ARP rate suppression is configured and MFF is enabled in the VLAN on S series switches, can the rate of ARP packets processed by the MFF module be suppressed

14

For S series switches:
In versions earlier than V200R001, the switch limits only the rate of ARP packets destined to the switch. Therefore, the switch does not limit the rate of ARP packets processed by the MFF module (ARP packets destined to other devices).
In V200R001 and later versions, the switch checks the VLAN ID in an ARP packet to determine whether MFF is enabled in the VLAN. If MFF is enabled in the VLAN, the switch limits the rate of the ARP packet and then the MFF module processes the ARP packet.

Other related questions:
How does an MFF-enabled switch process ARP requests from the network side
When receiving an ARP Request packet, an MFF-enabled switch checks the destination IP address in the packet against the DHCP snooping binding table. If the destination IP address in the packet matches an entry in the DHCP snooping binding table, the switch functions as a DHCP client to response to the request; otherwise, the ARP Request packet is sent to other network-side interfaces. A DHCP client may not send a DHCP Release message when going offline; therefore, association between ARP and DHCP snooping may be enabled on the upstream gateway device. In this case, if MFF is enabled on the switch, the probe packet sent by the gateway cannot reach the destination because ARP proxy is enabled on the switch. On switches of V100R006 and later version, run the mac-forced-forwarding user-detect transparent command in the VLAN view to solve this problem.

How to configure ARP packet rate limit on S series switcheses
For S series switcheses (except S1700 switches): You can configure the rate limit on ARP packets in one of the following methods as required: - Limiting the rate on ARP packets based on source MAC addresses (supported by the S5720EI, S5720HI, S6720EI, and all S series modular switches, but not supported by E series switches) # Set the maximum rate of ARP packets from the specified MAC address 0-0-1 to 50 pps. [HUAWEI] arp speed-limit source-mac 0-0-1 maximum 50 - Limiting the rate on ARP packets based on source IP addresses # Set the maximum rate of ARP packets from the specified IP address 10.0.0.1 to 50 pps. [HUAWEI] arp speed-limit source-ip 10.0.0.1 maximum 50 Limiting the rate on ARP packets globally, in a VLAN, or on an interface # Configure Layer 2 interface GE0/0/1 to allow 200 ARP packets to pass through in 10 seconds, and to discard all ARP packets in 60 seconds when the number of ARP packets exceeds the limit. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60 - Limiting the rate on ARP packets on a VLANIF interface of a super-VLAN # Set the maximum rate of broadcasting ARP Request packets on VLANIF interfaces in all super-VLANs to 500 pps. [HUAWEI] arp speed-limit flood-rate 500

ARP rate limiting on S series switch
An S series switch, except S1700, can limit the rate of ARP packets and ARP Miss messages. When the switch receives many ARP packets, configure ARP packet rate limiting to prevent CPU overloading. When the switch receives many IP packets of which the destination IP addresses cannot be resolved, the switch generates a large number of ARP Miss messages, delivers temporary ARP entries and sends may ARP request packets to the destination network. This increases CPU load and consumes bandwidth. To avoid IP packet attacks, configure ARP Miss rate limiting on the switch.

Can broadcast and multicast packets be simultaneously suppressed after traffic suppression is enabled on an interface of an S series switch
Traffic suppression can be configured for both broadcast and multicast packets on an interface of an S series switch. Traffic suppression on an interface is implemented for one type of packets as follows: After broadcast traffic suppression is enabled on an interface, only broadcast packets are suppressed. After unknown multicast traffic suppression is enabled on an interface, only unknown multicast packets are suppressed. After unknown unicast suppression is enabled on an interface, only unknown unicast packets are suppressed.

Traffic suppression module of S series switch
S series switches support the configuration of traffic suppression on the interface. Flow suppression contains three modes: Packet flow rate suppression Bit rate of flow suppression Percentage flow suppression Note: the cassette switch, only partial morphological support by bit rate traffic control.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top