Unresolvable IP attack protection configuration example
Network requirements
As shown in Figure 116, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. The two areas connect to the gateway through an access switch respectively.
A large number of ARP requests are detected in the office area and are considered to be the result of an IP flood attack. To prevent such attacks, configure ARP source suppression and ARP black hole routing.
Figure 116: Network diagram
Configuration considerations
If the attack packets have the same source address, you can enable the ARP source suppression function as follows:
Enable ARP source suppression.
Set the threshold to 100. If the number of unresolvable IP packets received from a host within five seconds exceeds 100, the device stops resolving packets from the host until the five seconds elapse.
If the attack packets have different source addresses, enable the ARP black hole routing function on the device.
Configuration procedure
Enable ARP source suppression and set the threshold to 100.
<Device> system-view [Device] arp source-suppression enable [Device] arp source-suppression limit 100
Enable ARP black hole routing.
<Device> system-view [Device] arp resolving-route enable