According to the number of network users, business volume, and arp table entries, appropriately adjust the cpcar value of arp packets on the interface board. The reference command is as follows:
cpu-defend policy xxx
car packet-type arp-reply cir 96
car packet-type arp-request cir 96
cpu-defend-policy xxx global
2. For arp-miss packet loss, it is recommended to configure arp-miss message rate limit, based on global deployment, the reference command is as follows:
arp-miss anti-attack rate-limit enable (By default, up to 100 arp miss messages can be processed within 1s)
3. To trace the source of unknown IP attacks and configure blacklist filtering for specific IP addresses, refer to the following commands:
acl 3000
Rule permit ip source x.x.x.x .x.x.x.x
cpu-defend policy xxx
blacklist 1 acl 3000
cpu-defend-policy xxx global
4. Configure loopback-detection based on the port on the device close to the service side, and configure the processing action as shutdown.
After the loop disappears, manually execute shutdown and undo shutdown to restore the port, refer to the following command:
loopback-detect enable
loopback-detect untagged mac-address ffff-ffff-ffff
interface gigabitethernet x/x/x
loopback-detect action shutdown
