2. H3C
  3. S9500 Series

H3C S9500 Series Operating instructions

  • Hello! I am an AI chatbot trained to assist you with the H3C S9500 Series Operating instructions. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
H3C S9500 Series Routing Switches
Operation Manual
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Manual Version: T2-081655-20080530-C-2.03
Product Version: S9500-CMW520-R2132
Copyright © 2007-2008, Hangzhou H3C Technologies Co., Ltd. and its licensors
All Rights Reserved
No part of this manual may be reproduced or transmitted in any form or by any means
without prior written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C, , Aolynk, , H
3
Care,
, TOP G, , IRF, NetPilot,
Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware,
Storware, NQA, VVG, V
2
G, V
n
G, PSPT, XGbus, N-Bus, TiGem, InnoVision and
HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their
respective owners.
Notice
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
the warranty of any kind, express or implied.
To obtain the latest information, please access:
http://www.h3c.com
Technical Support
customer_service@h3c.com
http://www.h3c.com
About This Manual
Related Documentation
In addition to this manual, each H3C S9500 Series Routing Switches documentation
set includes the following:
Manual Description
H3C S9500 Series Routing Switches
Installation Manual
It introduces the installation procedure,
commissioning, maintenance and
monitoring of the S9500 series routing
switches.
H3C S9500 Series Routing Switches
Command Manual
It includes Feature List and Command
Index, Access Volume, IP Service
Volume, IP Routing Volume, IP Multicast
Volume, MPLS VPN Volume, QoS ACL
Volume, Security Volume, System
Volume, and unsupported commands.
Organization
H3C Configuration Manual is organized as follows:
Part Contents
00 Product Overview
includes Obtaining the Documentation, Product
Features, and Features.
01 Access Volume
includes Ethernet Interface Configuration, POS
Interface Configuration, GVRP Configuration, Link
Aggregation Configuration, Port Mirroring
Configuration, RPR Configuration, Ethernet OAM
Configuration MSTP Configuration, VLAN
Configuration, QinQ Configuration, BPDU Tunneling
Configuration, and Port Isolation Configuration.
02 IP Services Volume
includes ARP Configuration, DHCP Configuration,
DNS Configuration, IP Addressing Configuration, IP
Performance Configuration, UDP Helper Configuration
IPv6 Basics Configuration, Dual Stack Configuration,
Tunneling Configuration, and Adjacency Table
Configuration.
Part Contents
03 IP Routing Volume
includes IP Routing Overview, BGP Configuration,
IS-IS Configuration, OSPF Configuration, RIP
Configuration, Routing Policy Configuration, Static
Routing Configuration, IPv6 BGP Configuration, IPv6
IS-IS Configuration, IPv6 OSPFv3 Configuration, IPv6
RIPng Configuration, and IPv6 Static Routing
Configuration.
04 IP Multicast Volume
includes Multicast Overview, Multicast Routing and
Forwarding Configuration, IGMP Snooping
Configuration, IGMP Configuration, PIM Configuration,
MSDP Configuration, IPv6 Multicast Routing and
Forwarding Configuration, MLD Snooping
Configuration, MLD Configuration, IPv6 PIM
Configuration, and Multicast VLAN Configuration.
05 MPLS VPN Volume
includes MPLS Basics Configuration, MPLS TE
Configuration, VPLS Configuration, MPLS L2VPN
Configuration, MPLS L3VPN Configuration, MPLS
Hybrid Insertion Configuration, and GRE Configuration.
06 QoS ACL Volume includes QoS Configuration and ACL Configuration.
07 Security Volume
includes 802.1x Configuration, AAA RADIUS
HWTACACS Configuration, MAC Authentication
Configuration, L3+NAT Configuration, Password
Control Configuration, SSH2.0 Configuration, and
Portal Configuration.
08 System Volume
includes GR Configuration, VRRP Configuration, HA
Configuration, Device Management Configuration,
NQA Configuration, NetStream Configuration, NTP
Configuration, RMON Configuration, SNMP
Configuration, File System Management Configuration,
System Maintaining and Debugging Configuration,
Basic System Configuration, Information Center
Configuration, User Interface Configuration, MAC
Address Table Management Configuration, PoE
Configuration, and Clock Monitoring Configuration.
09 OAA Volume
includes OAP Module Configuration and ACSEI
Configuration.
10 Acronyms Offers the acronyms used in this manual.
Conventions
The manual uses the following conventions:
I. Command conventions
Convention Description
Boldface
The keywords of a command line are in Boldface.
italic
Command arguments are in italic.
[ ]
Items (keywords or arguments) in square brackets [ ] are
optional.
{ x | y | ... }
Alternative items are grouped in braces and separated by
vertical bars. One is selected.
[ x | y | ... ]
Optional alternative items are grouped in square brackets
and separated by vertical bars. One or none is selected.
{ x | y | ... } *
Alternative items are grouped in braces and separated by
vertical bars. A minimum of one or a maximum of all can be
selected.
[ x | y | ... ] *
Optional alternative items are grouped in square brackets
and separated by vertical bars. Many or none can be
selected.
&<1-n>
The argument(s) before the ampersand (&) sign can be
entered 1 to n times.
# A line starting with the # sign is comments.
II. GUI conventions
Convention Description
< >
Button names are inside angle brackets. For example, click
<OK>.
[ ]
Window names, menu items, data table and field names
are inside square brackets. For example, pop up the [New
User] window.
/
Multi-level menus are separated by forward slashes. For
example, [File/Create/Folder].
III. Symbols
Convention Description
Warning
Means reader be extremely careful. Improper operation
may cause bodily injury.
Caution
Means reader be careful. Improper operation may cause
data loss or damage to equipment.
Note Means a complementary description.
Operation Manual
H3C S9500 Series Routing Switches IP Services Volume Organization
Manual Version
T2-081655-20080530-C-2.03
Product Version
S9500-CMW520-R2132
Organization
The IP Services Volume is organized as follows:
Features
(operation
manual)
Description
ARP
Address Resolution Protocol (ARP) is used to resolve an IP
address into a data link layer address. The volume describes:
z ARP Overview
z ARP configuration
z Proxy ARP configuration
DHCP
DHCP is built on a client-server model, in which the client
sends a configuration request and then the server returns a
reply to send configuration parameters such as an IP address
to the client. The volume describes:
z DHCP overview
z DHCP server configuration
z DHCP relay agent configuration
DNS
Used in the TCP/IP application, Domain Name System (DNS)
is a distributed database which provides the translation
between domain name and the IP address. The volume
describes:
z Introduction to DNS
z DNS configuration
IP Address
An IP address is a 32-bit address allocated to a network
interface on a device that is attached to the Internet. The
volume describes:
z Introduction to IP addresses
z IP address configuration
z IP unnumbered configuration
IP Performance
In some network environments, you need to adjust the IP
parameters to achieve best network performance. The volume
describes:
z IP performance overview
z IP performance configuration
Operation Manual
H3C S9500 Series Routing Switches IP Services Volume Organization
Features
(operation
manual)
Description
UDP Helper
UDP Helper functions as a relay agent that converts UDP
broadcast packets into unicast packets and forwards them to a
specified server. The volume describes:
z UDP Helper overview
z UDP Helper configuration
IPv6 Basics
Internet protocol version 6 (IPv6), also called IP next
generation (IPng), was designed by the Internet Engineering
Task Force (IETF) as the successor to Internet protocol
version 4 (IPv4). The volume describes:
z IPv6 overview
z Basic IPv6 functions configuration
z IPv6 NDP configuration
z PMTU discovery configuration
z IPv6 TCP properties configuration
z IPv6 FIB-Based forwarding configuration
z Capacity and update period of token bucket configuration
z IPv6 DNS configuration
Dual Stack
A network node that supports both IPv4 and IPv6 is called a
dual stack node. A dual stack node configured with an IPv4
address and an IPv6 address can have both IPv4 and IPv6
packets transmitted. The volume describes:
z Dual stack overview
z Dual stack configuration
Tunneling
Tunneling is an encapsulation technique, which utilizes one
network transport protocol to encapsulate packets of another
network transport protocol and transfer them over the network.
The volume describes:
z Tunneling overview
z IPv6 manually tunnel configuration
z Automatic IPv4-compatible IPv6 tunnel configuration
z 6to4 tunnel configuration
z 6to4 relay configuration
z ISATAP tunnel configuration
z IPv4 over IPv4 tunnel configuration
z Tunnel hybrid insertion configuration
Adjacency Table
An adjacency table manages the information on the neighbors
that are both connected and active. The volume describes:
z Adjacency table overview
z Displaying and maintaining the adjacency table
Operation Manual – ARP
H3C S9500 Series Routing Switches Table of Contents
i
Table of Contents
Chapter 1 ARP Configuration....................................................................................................... 1-1
1.1 ARP Overview....................................................................................................................1-1
1.1.1 ARP Function..........................................................................................................1-1
1.1.2 ARP Message Format.............................................................................................1-1
1.1.3 ARP Address Resolution Process...........................................................................1-2
1.1.4 ARP Mapping Table................................................................................................1-3
1.2 Configuring ARP................................................................................................................1-4
1.2.1 Configuring a Static ARP Entry...............................................................................1-4
1.2.2 Configuring the Maximum Number of ARP Entries a VLAN Interface Can Learn...........1-4
1.2.3 Setting Aging Time for Dynamic ARP Entries.........................................................1-5
1.2.4 Enabling the ARP Entry Check............................................................................... 1-5
1.2.5 Enabling the Support for ARP Requests from a Natural Network .......................... 1-6
1.2.6 ARP Configuration Examples..................................................................................1-6
1.3 Configuring Gratuitous ARP ..............................................................................................1-7
1.3.1 Introduction to Gratuitous ARP ...............................................................................1-7
1.3.2 Configuring Gratuitous ARP....................................................................................1-7
1.4 Configuring ARP Source Suppression ..............................................................................1-8
1.4.1 Introduction to ARP Source Suppression ...............................................................1-8
1.4.2 Configuring ARP Source Suppression....................................................................1-8
1.5 Configuring ARP Defense Against IP Packet Attack.........................................................1-8
1.5.1 Introduction to ARP Defense Against IP Packet Attack.......................................... 1-8
1.5.2 Enabling ARP Defense Against IP Packet Attack...................................................1-9
1.6 Configuring ARP Active Acknowledgement.......................................................................1-9
1.6.1 Introduction..............................................................................................................1-9
1.6.2 Configuring the ARP Active Acknowledgement Function....................................... 1-9
1.7 Configuring ARP Packet Source MAC Address Consistency Check..............................1-10
1.7.1 Introduction............................................................................................................1-10
1.7.2 Configuring ARP Packet Source MAC Address Consistency Check.................... 1-10
1.8 Displaying and Maintaining ARP .....................................................................................1-10
Chapter 2 Proxy ARP Configuration............................................................................................2-1
2.1 Proxy ARP Overview .........................................................................................................2-1
2.2 Enabling Proxy ARP..........................................................................................................2-1
2.3 Displaying and Maintaining Proxy ARP.............................................................................2-2
2.4 Proxy ARP Configuration Example....................................................................................2-2
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-1
Chapter 1 ARP Configuration
When configuring ARP, go to these sections for information you are interested in:
z ARP Overview
z Configuring ARP
z Configuring Gratuitous ARP
z Configuring ARP Source Suppression
z Configuring ARP Defense Against IP Packet Attack
z Configuring ARP Active Acknowledgement
z Configuring ARP Packet Source MAC Address Consistency Check
z Displaying and Maintaining ARP
1.1 ARP Overview
1.1.1 ARP Function
Address resolution protocol (ARP) is used to resolve an IP address into a data link layer
address.
An IP address is the address of a host at the network layer. To send a network layer
packet to a destination host, the device must know the MAC address of the destination
host or the next hop. To this end, the IP address must be resolved into the
corresponding MAC address. Each host maintains an IP-to-MAC mapping table that
contains IP and MAC addresses of devices that communicated with the host recently.
1.1.2 ARP Message Format
2211
2
4664
Hardware address length
Protocol address length
28-byte ARP request/response
Protocol
type
Hardware
type
OP
Sender hardware
address
Sender protocol
address
Target hardware
address
Target
protocol
address
Figure 1-1 ARP message format
The following explains the fields in
Figure 1-1.
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-2
z Hardware type: This field specifies the type of a hardware address. The value “1”
represents an Ethernet address.
z Protocol type: This field specifies the type of the protocol address to be mapped.
The hexadecimal value “0x0800” represents an IP address.
z Hardware address length and protocol address length: They respectively specify
the length of a hardware address and a protocol address, in bytes. For an Ethernet
address, the value of the hardware address length field is "6”. For an IP(v4)
address, the value of the protocol address length field is “4”.
z OP: Operation code. This field specifies the type of ARP message. The value “1”
represents an ARP request and “2” represents an ARP reply.
z Sender hardware address: This field specifies the hardware address of the device
sending the message.
z Sender protocol address: This field specifies the protocol address of the device
sending the message.
z Target hardware address: This field specifies the hardware address of the device
the message is being sent to.
z Target protocol address: This field specifies the protocol address of the device the
message is being sent to.
1.1.3 ARP Address Resolution Process
Sender MAC
address
00a0.2470.febd
Target IP
address
192.168.1.1
Target IP
address
192.168.1.2
Host A
192.168.1.1
0002.6779.0f4c
Host B
192.168.1.2
00a0.2470.febc
Target MAC
address
0000.0000.0000
Sender IP
address
192.168.1.1
Sender IP
address
192.168.1.2
Sender MAC
address
0002.6779.0f4c
Target MAC
address
0002.6779.0f4c
Figure 1-2 ARP address resolution process
Suppose that Host A and Host B are on the same subnet and that Host A sends a
message to Host B. The resolution process is as follows:
1) Host A looks in its ARP mapping table to see whether there is an ARP entry for
Host B. If Host A finds it, Host A uses the MAC address in the entry to encapsulate
the IP packet into a data link layer frame and sends the frame to Host B.
2) If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an
ARP request, in which the source IP address and source MAC address are
respectively the IP address and MAC address of Host A and the destination IP
address and MAC address are respectively the IP address of Host B and an
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-3
all-zero MAC address. Because the ARP request is sent in broadcast mode, all
hosts on this subnet can receive the request, but only the requested host (namely,
Host B) will process the request.
3) Host B compares its own IP address with the destination IP address in the ARP
request. If they are the same, Host B saves the source IP address and source
MAC address into its ARP mapping table, encapsulates its MAC address into an
ARP reply, and unicasts the reply to Host A.
4) After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP
mapping table for subsequent packet forwarding. Meanwhile, Host A
encapsulates the IP packet and sends it out.
If Host A and Host B are not on the same subnet, Host A first sends an ARP request to
the gateway. The target IP address in the ARP request is the IP address of the gateway.
After obtaining the MAC address of the gateway from an ARP reply, Host A sends the
packet to the gateway. If the gateway maintains the ARP entry of Host B, it forwards the
packet to Host B directly; if not, it broadcasts an ARP request, in which the target IP
address is the IP address of Host B. After obtaining the MAC address of Host B, the
gateway sends the packet to Host B.
1.1.4 ARP Mapping Table
After obtaining the destination MAC address, the device adds the IP-to-MAC mapping
into its own ARP mapping table. This mapping is used for forwarding packets with the
same destination in future.
An ARP mapping table contains ARP entries, which fall into two categories: dynamic
and static.
1) A dynamic entry is automatically created and maintained by ARP. It can get aged,
be updated by a new ARP packet, or be overwritten by a static ARP entry. When
the aging timer expires or the interface goes down, the corresponding dynamic
ARP entry will be removed.
2) A static ARP entry is manually configured and maintained. It cannot get aged or be
overwritten by a dynamic ARP entry. It can be permanent or non-permanent.
z A permanent static ARP entry can be directly used to forward packets. When
configuring a permanent static ARP entry, you must configure a VLAN and
outbound interface for the entry besides the IP address and MAC address.
z A non-permanent static ARP entry cannot be directly used for forwarding data.
When configuring a non-permanent static ARP entry, you only need to configure
the IP address and MAC address. When forwarding IP packets, the device sends
an ARP request. If the source IP and MAC addresses in the received ARP reply
are the same as the configured IP and MAC addresses, the device adds the
interface receiving the ARP reply into the static ARP entry. Now the entry can be
used for forwarding IP packets.
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-4
Note:
Usually ARP dynamically implements and automatically seeks mappings from IP
addresses to MAC addresses, without manual intervention.
1.2 Configuring ARP
1.2.1 Configuring a Static ARP Entry
A static ARP entry is effective when the device works normally. However, when a VLAN
or VLAN interface to which a static ARP entry corresponds is deleted, the entry, if
permanent, will be deleted, and if non-permanent and resolved, will become
unresolved.
Follow these steps to configure a static ARP entry:
To do… Use the command… Remarks
Enter system view
system-view
Configure a
permanent static
ARP entry
arp static ip-address mac-address
[ vlan-id interface-type
interface-number ]
[ vpn-instance-name ]
Required
No permanent static
ARP entry is configured
by default.
Configure a
non-permanent
static ARP entry
arp static ip-address mac-address
[ vpn-instance vpn-instance-name ]
Required
No non-permanent
static ARP entry is
configured by default.
Caution:
The vlan-id argument must be the ID of an existing VLAN which corresponds to the
ARP entries. In addition, the Ethernet interface following the argument must belong to
that VLAN.
1.2.2 Configuring the Maximum Number of ARP Entries a VLAN Interface Can
Learn
Follow these steps to set the maximum number of dynamic ARP entries that a VLAN
interface can learn:
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-5
To do… Use the command… Remarks
Enter system view
system-view
Enter VLAN interface view
interface vlan-interface
interface-number
Set the maximum number of
dynamic ARP entries that the
interface can learn
arp max-learning-num
number
Optional
4096 by default
1.2.3 Setting Aging Time for Dynamic ARP Entries
After dynamic ARP entries expire, the system will delete them from the ARP mapping
table. You can adjust the aging time for dynamic ARP entries according to the actual
network condition.
Follow these steps to set aging time for dynamic ARP entries:
To do… Use the command… Remarks
Enter system view
system-view
Set aging time for
dynamic ARP entries
arp timer aging
aging-time
Optional
20 minutes by default
1.2.4 Enabling the ARP Entry Check
The ARP entry check function disables a device from learning multicast MAC
addresses. With the ARP entry check enabled, the device cannot learn any ARP entry
with a multicast MAC address, and configuring such a static ARP entry is not allowed;
otherwise, the system displays error messages.
After the ARP entry check is disabled, the device can learn multicast ARP entries, and
you can also configure such static ARP entries on the device.
Follow these steps to enable the ARP entry check:
To do… Use the command… Remarks
Enter system view
system-view
Enable the ARP
entry check
arp check enable
Optional
Enabled by default. That is, the
device does not learn multicast
MAC addresses.
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-6
1.2.5 Enabling the Support for ARP Requests from a Natural Network
When learning MAC addresses, if the device finds that the source IP address of an
ARP packet and the IP address of the inbound interface are not on the same subnet,
the device will further judge whether these two IP addresses are on the same natural
network.
Suppose that the IP address of Vlan-interface10 is 10.10.10.5/24 and that this interface
receives an ARP packet from 10.11.11.1/8. Because these two IP addresses are not on
the same subnet, Vlan-interface10 cannot process the packet. With this feature
enabled, the device will make judgment on natural network basis. Because the IP
address of Vlan-interface10 is a Class A address and its default mask length is 8, these
two IP addresses are on the same natural network. In this way, Vlan-interface10 can
learn the MAC address of the source IP address 10.11.11.1.
Follow these steps to enable the support for ARP requests from a natural network:
To do… Use the command… Remarks
Enter system view
system-view
Enable the support for
ARP requests from a
natural network
naturemask-arp enable
Required
Disabled by default
1.2.6 ARP Configuration Examples
I. Network requirements
z Disable ARP entry check.
z Set the aging time for dynamic ARP entries to 10 minutes.
z Enable the support for ARP requests from a natural network.
z Set the maximum number of dynamic ARP entries that VLAN-interface 10 can
learn to 1,000.
z Add a static ARP entry, with the IP address being 192.168.1.1, the MAC address
being 00e0-fc01-0000, and the outbound interface being Ethernet1/1/1 of VLAN
10.
z Add a static ARP entry, with the IP address being 192.168.1.1/24, the MAC
address being 000F-E201-0070, and the outbound interface being Ethernet 1/1/1
of VLAN 10.
II. Configuration procedure
<Sysname> system-view
[Sysname] undo arp check enable
[Sysname] arp timer aging 10
[Sysname] naturemask-arp enable
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-7
[Sysname] vlan 10
[Sysname-vlan10] quit
[Sysname] interface ethernet 1/1/1
[Sysname-Ethernet1/1/1] port access vlan 10
[Sysname-Ethernet1/1/1] quit
[Sysname] interface Vlan-interface 10
[Sysname-Vlan-interface10] arp max-learning-num 1000
[Sysname-Vlan-interface10] quit
[Sysname] arp static 192.168.1.1 000f-e201-0070 10 ethernet1/1/1
1.3 Configuring Gratuitous ARP
1.3.1 Introduction to Gratuitous ARP
A gratuitous ARP packet is a special ARP packet, in which the source IP address and
destination IP address are both the IP address of the sender, the source MAC address
is the MAC address of the sender, and the destination MAC address is a broadcast
address.
A device can implement the following functions by sending gratuitous ARP packets:
z Determining whether its IP address is already used by another device.
z Informing other devices of its MAC address change so that they can update their
ARP entries.
Upon receiving a gratuitous ARP packet, the device will do the following:
z If no corresponding ARP entry for the ARP packet is found in the cache, the device
adds the information carried in the packet to its own dynamic ARP entry table.
z If the source IP address of the ARP packet is identical to its own IP address, the
device returns an ARP reply to inform the sender of an address conflict.
1.3.2 Configuring Gratuitous ARP
Follow these steps to configure gratuitous ARP:
To do… Use the command… Remarks
Enter system view
system-view
Enable the device to send
gratuitous ARP packets
when receiving ARP
requests from another
network segment
gratuitous-arp-sendi
ng enable
Optional
By default, a device cannot
send gratuitous ARP
packets when receiving ARP
requests from another
network segment.
Enable the gratuitous ARP
packet learning function
gratuitous-arp-learni
ng enable
Required
Disabled by default.
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-8
1.4 Configuring ARP Source Suppression
1.4.1 Introduction to ARP Source Suppression
If hosts on a network attack the device by sending large amounts of IP packets whose
IP addresses cannot be resolved, the following consequences will be resulted in:
z The device sends large amounts of ARP request messages to the destination
subnet, which increases the load of the destination subnet.
z The device continuously resolves destination IP addresses, which increase the
load of the CPU.
To protect against such attacks, S9500 series switches provide the ARP source
suppression function. With the function enabled, whenever the number of packets with
unresolvable destination IP addresses from a host within five seconds exceeds a
specified threshold, the device suppress the sending host from triggering any ARP
requests within the following five seconds.
1.4.2 Configuring ARP Source Suppression
Follow these steps to configure ARP source suppression:
To do… Use the command… Remarks
Enter system view
system-view
Enable ARP source suppression
arp
source-suppression
enable
Required
Disabled by
default
Set the maximum number of packets
with the same source IP address but
unresolvable destination IP
addresses that the device can receive
in five consecutive seconds
arp
source-suppression
limit limit-value
Optional
10 by default
1.5 Configuring ARP Defense Against IP Packet Attack
1.5.1 Introduction to ARP Defense Against IP Packet Attack
In forwarding an IPv4 packet, a device depends on ARP to resolve the MAC address of
the next hop. If the address resolution is successful, the forwarding chip forwards the
packet directly. Otherwise, the device runs software for further processing. When large
amounts of IP packets for which ARP cannot resolve the IP addresses of the next hops
arrive at a device, the software on the device will be called again and again and the
CPU of the device will be overburdened. This is called IP packet attack.
To protect a device against IP packet attack, you can configure the ARP defense
against IP packet attack function. After receiving an IP packet with the IP address of the
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-9
next hop unreachable (an IP packet that ARP cannot resolve the MAC address of the
next hop), a device with this function creates a black hole route immediately and the
forwarding chip simply drops all packets to the address. Note that a black hole route
can get aged, in which case a subsequent IP packet with the same next hop triggers the
above process. This protects the device against the IP packet attack efficiently,
reducing the load of the CPU.
1.5.2 Enabling ARP Defense Against IP Packet Attack
The ARP defense against IP packet attack function works for forwarded packets and
those originated by the device.
Follow these steps to configure ARP defense against IP packet attack:
To do… Use the command… Remarks
Enter system view
system-view
Enable ARP defense
against IP packet attack
arp resolving-route
enable
Optional
Enabled by default
1.6 Configuring ARP Active Acknowledgement
1.6.1 Introduction
Typically, the ARP active acknowledgement feature is configured on gateway devices
to identify invalid ARP packets.
With this feature enabled, the gateway, upon receiving an ARP packet with a different
source MAC address from that in the corresponding ARP entry, checks whether the
ARP entry has been updated within the last minute:
z If yes, the gateway ignores the ARP packet;
z If not, the gateway sends a unicast request to the source MAC address of the ARP
entry.
Then,
z If a response is received within five seconds, the ARP packet is ignored;
z If no response is received, the gateway sends a unicast request to the MAC
address of the ARP packet.
Then,
z If a response is received within five seconds, the gateway updates the ARP entry;
z If not, the ARP entry is not updated.
1.6.2 Configuring the ARP Active Acknowledgement Function
Follow these steps to configure ARP active acknowledgement:
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-10
To do… Use the command… Remarks
Enter system view
system-view
Enable the ARP active
acknowledgement
function
arp anti-attack
active-ack enable
Required
Disabled by default.
1.7 Configuring ARP Packet Source MAC Address
Consistency Check
1.7.1 Introduction
This feature enables the device to filter out ARP packets with the source MAC address
in the Ethernet header different from the sender MAC address in the ARP message.
1.7.2 Configuring ARP Packet Source MAC Address Consistency Check
Follow these steps to enable ARP packet source MAC address consistency check:
To do… Use the command… Remarks
Enter system view
system-view
Enable ARP packet source MAC
address consistency check
arp anti-attack
valid-check enable
Required
Disabled by default.
1.8 Displaying and Maintaining ARP
To do… Use the command… Remarks
Display the ARP entries in
the ARP mapping table
display arp { { all | dynamic |
static } [ slot slot-id ] | vlan
vlan-id | interface interface-type
interface-number } [ [ verbose ]
[ | { begin | exclude | include }
text ] | count ]
Available in any
view
Display the ARP entries
for a specified IP address
display arp ip-address [ slot
slot-id ] [ verbose ] [ | { begin |
exclude | include } text ]
Available in any
view
Display the ARP entries
for a specified VPN
instance
display arp vpn-instance
vpn-instance-name [ | { begin |
exclude | include } text | count ]
Available in any
view
Display the aging time for
dynamic ARP entries
display arp timer aging
Available in any
view
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-11
To do… Use the command… Remarks
Display the configuration
information of ARP source
suppression
display arp
source-suppression
Available in any
view
Clear ARP entries from
the ARP mapping table
reset arp { all | dynamic | static
| slot slot-id | interface
interface-type interface-number }
Available in user
view
/