H3C S9500 Series Operating instructions

H3C S9500 Series Routing Switches

Operation Manual

Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com

Manual Version: T2-081655-20080530-C-2.03

Product Version: S9500-CMW520-R2132

No part of this manual may be reproduced or transmitted in any form or by any means

without prior written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C, , Aolynk, , H

3

Care,

, TOP G, , IRF, NetPilot,

Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware,

Storware, NQA, VVG, V

2

G, V

n

G, PSPT, XGbus, N-Bus, TiGem, InnoVision and

HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their

respective owners.

Notice

The information in this document is subject to change without notice. Every effort has

been made in the preparation of this document to ensure accuracy of the contents, but

all statements, information, and recommendations in this document do not constitute

the warranty of any kind, express or implied.

To obtain the latest information, please access:

http://www.h3c.com

Technical Support

customer_service@h3c.com

http://www.h3c.com

About This Manual

Related Documentation

In addition to this manual, each H3C S9500 Series Routing Switches documentation

set includes the following:

Manual Description

H3C S9500 Series Routing Switches

Installation Manual

It introduces the installation procedure,

commissioning, maintenance and

monitoring of the S9500 series routing

switches.

H3C S9500 Series Routing Switches

Command Manual

It includes Feature List and Command

Index, Access Volume, IP Service

Volume, IP Routing Volume, IP Multicast

Volume, MPLS VPN Volume, QoS ACL

Volume, Security Volume, System

Volume, and unsupported commands.

Organization

H3C Configuration Manual is organized as follows:

Part Contents

00 Product Overview

includes Obtaining the Documentation, Product

Features, and Features.

01 Access Volume

includes Ethernet Interface Configuration, POS

Interface Configuration, GVRP Configuration, Link

Aggregation Configuration, Port Mirroring

Configuration, RPR Configuration, Ethernet OAM

Configuration MSTP Configuration, VLAN

Configuration, QinQ Configuration, BPDU Tunneling

Configuration, and Port Isolation Configuration.

02 IP Services Volume

includes ARP Configuration, DHCP Configuration,

DNS Configuration, IP Addressing Configuration, IP

Performance Configuration, UDP Helper Configuration

IPv6 Basics Configuration, Dual Stack Configuration,

Tunneling Configuration, and Adjacency Table

Configuration.

Part Contents

03 IP Routing Volume

includes IP Routing Overview, BGP Configuration,

IS-IS Configuration, OSPF Configuration, RIP

Configuration, Routing Policy Configuration, Static

Routing Configuration, IPv6 BGP Configuration, IPv6

IS-IS Configuration, IPv6 OSPFv3 Configuration, IPv6

RIPng Configuration, and IPv6 Static Routing

Configuration.

04 IP Multicast Volume

includes Multicast Overview, Multicast Routing and

Forwarding Configuration, IGMP Snooping

Configuration, IGMP Configuration, PIM Configuration,

MSDP Configuration, IPv6 Multicast Routing and

Forwarding Configuration, MLD Snooping

Configuration, MLD Configuration, IPv6 PIM

Configuration, and Multicast VLAN Configuration.

05 MPLS VPN Volume

includes MPLS Basics Configuration, MPLS TE

Configuration, VPLS Configuration, MPLS L2VPN

Configuration, MPLS L3VPN Configuration, MPLS

Hybrid Insertion Configuration, and GRE Configuration.

06 QoS ACL Volume includes QoS Configuration and ACL Configuration.

07 Security Volume

includes 802.1x Configuration, AAA RADIUS

HWTACACS Configuration, MAC Authentication

Configuration, L3+NAT Configuration, Password

Control Configuration, SSH2.0 Configuration, and

Portal Configuration.

08 System Volume

includes GR Configuration, VRRP Configuration, HA

Configuration, Device Management Configuration,

NQA Configuration, NetStream Configuration, NTP

Configuration, RMON Configuration, SNMP

Configuration, File System Management Configuration,

System Maintaining and Debugging Configuration,

Basic System Configuration, Information Center

Configuration, User Interface Configuration, MAC

Address Table Management Configuration, PoE

Configuration, and Clock Monitoring Configuration.

09 OAA Volume

includes OAP Module Configuration and ACSEI

Configuration.

10 Acronyms Offers the acronyms used in this manual.

Conventions

The manual uses the following conventions:

I. Command conventions

Convention Description

Boldface

The keywords of a command line are in Boldface.

italic

Command arguments are in italic.

[ ]

Items (keywords or arguments) in square brackets [ ] are

optional.

{ x | y | ... }

Alternative items are grouped in braces and separated by

vertical bars. One is selected.

[ x | y | ... ]

Optional alternative items are grouped in square brackets

and separated by vertical bars. One or none is selected.

{ x | y | ... } *

Alternative items are grouped in braces and separated by

vertical bars. A minimum of one or a maximum of all can be

selected.

[ x | y | ... ] *

Optional alternative items are grouped in square brackets

and separated by vertical bars. Many or none can be

selected.

&<1-n>

The argument(s) before the ampersand (&) sign can be

entered 1 to n times.

# A line starting with the # sign is comments.

II. GUI conventions

Convention Description

< >

Button names are inside angle brackets. For example, click

<OK>.

[ ]

Window names, menu items, data table and field names

are inside square brackets. For example, pop up the [New

User] window.

/

Multi-level menus are separated by forward slashes. For

example, [File/Create/Folder].

III. Symbols

Convention Description

Warning

Means reader be extremely careful. Improper operation

may cause bodily injury.

Caution

Means reader be careful. Improper operation may cause

data loss or damage to equipment.

 Note Means a complementary description.

Operation Manual

H3C S9500 Series Routing Switches IP Services Volume Organization

Manual Version

T2-081655-20080530-C-2.03

Product Version

S9500-CMW520-R2132

Organization

The IP Services Volume is organized as follows:

Features

(operation

manual)

Description

ARP

Address Resolution Protocol (ARP) is used to resolve an IP

address into a data link layer address. The volume describes:

z ARP Overview

z ARP configuration

z Proxy ARP configuration

DHCP

DHCP is built on a client-server model, in which the client

sends a configuration request and then the server returns a

reply to send configuration parameters such as an IP address

to the client. The volume describes:

z DHCP overview

z DHCP server configuration

z DHCP relay agent configuration

DNS

Used in the TCP/IP application, Domain Name System (DNS)

is a distributed database which provides the translation

between domain name and the IP address. The volume

describes:

z Introduction to DNS

z DNS configuration

IP Address

An IP address is a 32-bit address allocated to a network

interface on a device that is attached to the Internet. The

volume describes:

z Introduction to IP addresses

z IP address configuration

z IP unnumbered configuration

IP Performance

In some network environments, you need to adjust the IP

parameters to achieve best network performance. The volume

describes:

z IP performance overview

z IP performance configuration

Operation Manual

H3C S9500 Series Routing Switches IP Services Volume Organization

Features

(operation

manual)

Description

UDP Helper

UDP Helper functions as a relay agent that converts UDP

broadcast packets into unicast packets and forwards them to a

specified server. The volume describes:

z UDP Helper overview

z UDP Helper configuration

IPv6 Basics

Internet protocol version 6 (IPv6), also called IP next

generation (IPng), was designed by the Internet Engineering

Task Force (IETF) as the successor to Internet protocol

version 4 (IPv4). The volume describes:

z IPv6 overview

z Basic IPv6 functions configuration

z IPv6 NDP configuration

z PMTU discovery configuration

z IPv6 TCP properties configuration

z IPv6 FIB-Based forwarding configuration

z Capacity and update period of token bucket configuration

z IPv6 DNS configuration

Dual Stack

A network node that supports both IPv4 and IPv6 is called a

dual stack node. A dual stack node configured with an IPv4

address and an IPv6 address can have both IPv4 and IPv6

packets transmitted. The volume describes:

z Dual stack overview

z Dual stack configuration

Tunneling

Tunneling is an encapsulation technique, which utilizes one

network transport protocol to encapsulate packets of another

network transport protocol and transfer them over the network.

The volume describes:

z Tunneling overview

z IPv6 manually tunnel configuration

z Automatic IPv4-compatible IPv6 tunnel configuration

z 6to4 tunnel configuration

z 6to4 relay configuration

z ISATAP tunnel configuration

z IPv4 over IPv4 tunnel configuration

z Tunnel hybrid insertion configuration

Adjacency Table

An adjacency table manages the information on the neighbors

that are both connected and active. The volume describes:

z Adjacency table overview

z Displaying and maintaining the adjacency table

Operation Manual – ARP

H3C S9500 Series Routing Switches Table of Contents

i

Table of Contents

Chapter 1 ARP Configuration....................................................................................................... 1-1

1.1 ARP Overview....................................................................................................................1-1

1.1.1 ARP Function..........................................................................................................1-1

1.1.2 ARP Message Format.............................................................................................1-1

1.1.3 ARP Address Resolution Process...........................................................................1-2

1.1.4 ARP Mapping Table................................................................................................1-3

1.2 Configuring ARP................................................................................................................1-4

1.2.1 Configuring a Static ARP Entry...............................................................................1-4

1.2.2 Configuring the Maximum Number of ARP Entries a VLAN Interface Can Learn...........1-4

1.2.3 Setting Aging Time for Dynamic ARP Entries.........................................................1-5

1.2.4 Enabling the ARP Entry Check............................................................................... 1-5

1.2.5 Enabling the Support for ARP Requests from a Natural Network .......................... 1-6

1.2.6 ARP Configuration Examples..................................................................................1-6

1.3 Configuring Gratuitous ARP ..............................................................................................1-7

1.3.1 Introduction to Gratuitous ARP ...............................................................................1-7

1.3.2 Configuring Gratuitous ARP....................................................................................1-7

1.4 Configuring ARP Source Suppression ..............................................................................1-8

1.4.1 Introduction to ARP Source Suppression ...............................................................1-8

1.4.2 Configuring ARP Source Suppression....................................................................1-8

1.5 Configuring ARP Defense Against IP Packet Attack.........................................................1-8

1.5.1 Introduction to ARP Defense Against IP Packet Attack.......................................... 1-8

1.5.2 Enabling ARP Defense Against IP Packet Attack...................................................1-9

1.6 Configuring ARP Active Acknowledgement.......................................................................1-9

1.6.1 Introduction..............................................................................................................1-9

1.6.2 Configuring the ARP Active Acknowledgement Function....................................... 1-9

1.7 Configuring ARP Packet Source MAC Address Consistency Check..............................1-10

1.7.1 Introduction............................................................................................................1-10

1.7.2 Configuring ARP Packet Source MAC Address Consistency Check.................... 1-10

1.8 Displaying and Maintaining ARP .....................................................................................1-10

Chapter 2 Proxy ARP Configuration............................................................................................2-1

2.1 Proxy ARP Overview .........................................................................................................2-1

2.2 Enabling Proxy ARP..........................................................................................................2-1

2.3 Displaying and Maintaining Proxy ARP.............................................................................2-2

2.4 Proxy ARP Configuration Example....................................................................................2-2

Operation Manual – ARP

H3C S9500 Series Routing Switches Chapter 1 ARP Configuration

1-1

Chapter 1 ARP Configuration

When configuring ARP, go to these sections for information you are interested in:

z ARP Overview

z Configuring ARP

z Configuring Gratuitous ARP

z Configuring ARP Source Suppression

z Configuring ARP Defense Against IP Packet Attack

z Configuring ARP Active Acknowledgement

z Configuring ARP Packet Source MAC Address Consistency Check

z Displaying and Maintaining ARP

1.1 ARP Overview

1.1.1 ARP Function

Address resolution protocol (ARP) is used to resolve an IP address into a data link layer

address.

An IP address is the address of a host at the network layer. To send a network layer

packet to a destination host, the device must know the MAC address of the destination

host or the next hop. To this end, the IP address must be resolved into the

corresponding MAC address. Each host maintains an IP-to-MAC mapping table that

contains IP and MAC addresses of devices that communicated with the host recently.

1.1.2 ARP Message Format

2211

2

4664

Hardware address length

Protocol address length

28-byte ARP request/response

Protocol

type

Hardware

type

OP

Sender hardware

address

Sender protocol

address

Target hardware

address

Target

protocol

address

Figure 1-1 ARP message format

The following explains the fields in

Figure 1-1.

Operation Manual – ARP

H3C S9500 Series Routing Switches Chapter 1 ARP Configuration

1-2

z Hardware type: This field specifies the type of a hardware address. The value “1”

represents an Ethernet address.

z Protocol type: This field specifies the type of the protocol address to be mapped.

The hexadecimal value “0x0800” represents an IP address.

z Hardware address length and protocol address length: They respectively specify

the length of a hardware address and a protocol address, in bytes. For an Ethernet

address, the value of the hardware address length field is "6”. For an IP(v4)

address, the value of the protocol address length field is “4”.

z OP: Operation code. This field specifies the type of ARP message. The value “1”

represents an ARP request and “2” represents an ARP reply.

z Sender hardware address: This field specifies the hardware address of the device

sending the message.

z Sender protocol address: This field specifies the protocol address of the device

sending the message.

z Target hardware address: This field specifies the hardware address of the device

the message is being sent to.

z Target protocol address: This field specifies the protocol address of the device the

message is being sent to.

1.1.3 ARP Address Resolution Process

Sender MAC

address

00a0.2470.febd

Target IP

address

192.168.1.1

Target IP

address

192.168.1.2

Host A

192.168.1.1

0002.6779.0f4c

Host B

192.168.1.2

00a0.2470.febc

Target MAC

address

0000.0000.0000

Sender IP

address

192.168.1.1

Sender IP

address

192.168.1.2

Sender MAC

address

0002.6779.0f4c

Target MAC

address

0002.6779.0f4c

Figure 1-2 ARP address resolution process

Suppose that Host A and Host B are on the same subnet and that Host A sends a

message to Host B. The resolution process is as follows:

1) Host A looks in its ARP mapping table to see whether there is an ARP entry for

Host B. If Host A finds it, Host A uses the MAC address in the entry to encapsulate

the IP packet into a data link layer frame and sends the frame to Host B.

2) If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an

ARP request, in which the source IP address and source MAC address are

respectively the IP address and MAC address of Host A and the destination IP

address and MAC address are respectively the IP address of Host B and an

Operation Manual – ARP

H3C S9500 Series Routing Switches Chapter 1 ARP Configuration

1-3

all-zero MAC address. Because the ARP request is sent in broadcast mode, all

hosts on this subnet can receive the request, but only the requested host (namely,

Host B) will process the request.

3) Host B compares its own IP address with the destination IP address in the ARP

request. If they are the same, Host B saves the source IP address and source

MAC address into its ARP mapping table, encapsulates its MAC address into an

ARP reply, and unicasts the reply to Host A.

4) After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP

mapping table for subsequent packet forwarding. Meanwhile, Host A

encapsulates the IP packet and sends it out.

If Host A and Host B are not on the same subnet, Host A first sends an ARP request to

the gateway. The target IP address in the ARP request is the IP address of the gateway.

After obtaining the MAC address of the gateway from an ARP reply, Host A sends the

packet to the gateway. If the gateway maintains the ARP entry of Host B, it forwards the

packet to Host B directly; if not, it broadcasts an ARP request, in which the target IP

address is the IP address of Host B. After obtaining the MAC address of Host B, the

gateway sends the packet to Host B.

1.1.4 ARP Mapping Table

After obtaining the destination MAC address, the device adds the IP-to-MAC mapping

into its own ARP mapping table. This mapping is used for forwarding packets with the

same destination in future.

An ARP mapping table contains ARP entries, which fall into two categories: dynamic

and static.

1) A dynamic entry is automatically created and maintained by ARP. It can get aged,

be updated by a new ARP packet, or be overwritten by a static ARP entry. When

the aging timer expires or the interface goes down, the corresponding dynamic

ARP entry will be removed.

2) A static ARP entry is manually configured and maintained. It cannot get aged or be

overwritten by a dynamic ARP entry. It can be permanent or non-permanent.

z A permanent static ARP entry can be directly used to forward packets. When

configuring a permanent static ARP entry, you must configure a VLAN and

outbound interface for the entry besides the IP address and MAC address.

z A non-permanent static ARP entry cannot be directly used for forwarding data.

When configuring a non-permanent static ARP entry, you only need to configure

the IP address and MAC address. When forwarding IP packets, the device sends

an ARP request. If the source IP and MAC addresses in the received ARP reply

are the same as the configured IP and MAC addresses, the device adds the

interface receiving the ARP reply into the static ARP entry. Now the entry can be

used for forwarding IP packets.

Operation Manual – ARP

H3C S9500 Series Routing Switches Chapter 1 ARP Configuration

1-4

 Note:

Usually ARP dynamically implements and automatically seeks mappings from IP

addresses to MAC addresses, without manual intervention.

1.2 Configuring ARP

1.2.1 Configuring a Static ARP Entry

A static ARP entry is effective when the device works normally. However, when a VLAN

or VLAN interface to which a static ARP entry corresponds is deleted, the entry, if

permanent, will be deleted, and if non-permanent and resolved, will become

unresolved.

Follow these steps to configure a static ARP entry:

To do… Use the command… Remarks

Enter system view

system-view

—

Configure a

permanent static

ARP entry

arp static ip-address mac-address

[ vlan-id interface-type

interface-number ]

[ vpn-instance-name ]

Required

No permanent static

ARP entry is configured

by default.

Configure a

non-permanent

static ARP entry

arp static ip-address mac-address

[ vpn-instance vpn-instance-name ]

Required

No non-permanent

static ARP entry is

configured by default.

Caution:

The vlan-id argument must be the ID of an existing VLAN which corresponds to the

ARP entries. In addition, the Ethernet interface following the argument must belong to

that VLAN.

1.2.2 Configuring the Maximum Number of ARP Entries a VLAN Interface Can

Learn

Follow these steps to set the maximum number of dynamic ARP entries that a VLAN

interface can learn:

Operation Manual – ARP

H3C S9500 Series Routing Switches Chapter 1 ARP Configuration

1-5

To do… Use the command… Remarks

Enter system view

system-view

—

Enter VLAN interface view

interface vlan-interface

interface-number

—

Set the maximum number of

dynamic ARP entries that the

interface can learn

arp max-learning-num

number

Optional

4096 by default

1.2.3 Setting Aging Time for Dynamic ARP Entries

After dynamic ARP entries expire, the system will delete them from the ARP mapping

table. You can adjust the aging time for dynamic ARP entries according to the actual

network condition.

Follow these steps to set aging time for dynamic ARP entries:

To do… Use the command… Remarks

Enter system view

system-view

—

Set aging time for

dynamic ARP entries

arp timer aging

aging-time

Optional

20 minutes by default

1.2.4 Enabling the ARP Entry Check

The ARP entry check function disables a device from learning multicast MAC

addresses. With the ARP entry check enabled, the device cannot learn any ARP entry

with a multicast MAC address, and configuring such a static ARP entry is not allowed;

otherwise, the system displays error messages.

After the ARP entry check is disabled, the device can learn multicast ARP entries, and

you can also configure such static ARP entries on the device.

Follow these steps to enable the ARP entry check:

To do… Use the command… Remarks

Enter system view

system-view

—

Enable the ARP

entry check

arp check enable

Optional

Enabled by default. That is, the

device does not learn multicast

MAC addresses.

Operation Manual – ARP

H3C S9500 Series Routing Switches Chapter 1 ARP Configuration

1-6

1.2.5 Enabling the Support for ARP Requests from a Natural Network

When learning MAC addresses, if the device finds that the source IP address of an

ARP packet and the IP address of the inbound interface are not on the same subnet,

the device will further judge whether these two IP addresses are on the same natural

network.

Suppose that the IP address of Vlan-interface10 is 10.10.10.5/24 and that this interface

receives an ARP packet from 10.11.11.1/8. Because these two IP addresses are not on

the same subnet, Vlan-interface10 cannot process the packet. With this feature

enabled, the device will make judgment on natural network basis. Because the IP

address of Vlan-interface10 is a Class A address and its default mask length is 8, these

two IP addresses are on the same natural network. In this way, Vlan-interface10 can

learn the MAC address of the source IP address 10.11.11.1.

Follow these steps to enable the support for ARP requests from a natural network:

To do… Use the command… Remarks

Enter system view

system-view

—

Enable the support for

ARP requests from a

natural network

naturemask-arp enable

Required

Disabled by default

1.2.6 ARP Configuration Examples

I. Network requirements

z Disable ARP entry check.

z Set the aging time for dynamic ARP entries to 10 minutes.

z Enable the support for ARP requests from a natural network.

z Set the maximum number of dynamic ARP entries that VLAN-interface 10 can

learn to 1,000.

z Add a static ARP entry, with the IP address being 192.168.1.1, the MAC address

being 00e0-fc01-0000, and the outbound interface being Ethernet1/1/1 of VLAN

10.

z Add a static ARP entry, with the IP address being 192.168.1.1/24, the MAC

address being 000F-E201-0070, and the outbound interface being Ethernet 1/1/1

of VLAN 10.

II. Configuration procedure

<Sysname> system-view

[Sysname] undo arp check enable

[Sysname] arp timer aging 10

[Sysname] naturemask-arp enable

Operation Manual – ARP

H3C S9500 Series Routing Switches Chapter 1 ARP Configuration

1-7

[Sysname] vlan 10

[Sysname-vlan10] quit

[Sysname] interface ethernet 1/1/1

[Sysname-Ethernet1/1/1] port access vlan 10

[Sysname-Ethernet1/1/1] quit

[Sysname] interface Vlan-interface 10

[Sysname-Vlan-interface10] arp max-learning-num 1000

[Sysname-Vlan-interface10] quit

[Sysname] arp static 192.168.1.1 000f-e201-0070 10 ethernet1/1/1

1.3 Configuring Gratuitous ARP

1.3.1 Introduction to Gratuitous ARP

A gratuitous ARP packet is a special ARP packet, in which the source IP address and

destination IP address are both the IP address of the sender, the source MAC address

is the MAC address of the sender, and the destination MAC address is a broadcast

address.

A device can implement the following functions by sending gratuitous ARP packets:

z Determining whether its IP address is already used by another device.

z Informing other devices of its MAC address change so that they can update their

ARP entries.

Upon receiving a gratuitous ARP packet, the device will do the following:

z If no corresponding ARP entry for the ARP packet is found in the cache, the device

adds the information carried in the packet to its own dynamic ARP entry table.

z If the source IP address of the ARP packet is identical to its own IP address, the

device returns an ARP reply to inform the sender of an address conflict.

1.3.2 Configuring Gratuitous ARP

Follow these steps to configure gratuitous ARP:

To do… Use the command… Remarks

Enter system view

system-view

—

Enable the device to send

gratuitous ARP packets

when receiving ARP

requests from another

network segment

gratuitous-arp-sendi

ng enable

Optional

By default, a device cannot

send gratuitous ARP

packets when receiving ARP

requests from another

network segment.

Enable the gratuitous ARP

packet learning function

gratuitous-arp-learni

ng enable

Required

Disabled by default.

Operation Manual – ARP

H3C S9500 Series Routing Switches Chapter 1 ARP Configuration

1-8

1.4 Configuring ARP Source Suppression

1.4.1 Introduction to ARP Source Suppression

If hosts on a network attack the device by sending large amounts of IP packets whose

IP addresses cannot be resolved, the following consequences will be resulted in:

z The device sends large amounts of ARP request messages to the destination

subnet, which increases the load of the destination subnet.

z The device continuously resolves destination IP addresses, which increase the

load of the CPU.

To protect against such attacks, S9500 series switches provide the ARP source

suppression function. With the function enabled, whenever the number of packets with

unresolvable destination IP addresses from a host within five seconds exceeds a

specified threshold, the device suppress the sending host from triggering any ARP

requests within the following five seconds.

1.4.2 Configuring ARP Source Suppression

Follow these steps to configure ARP source suppression:

To do… Use the command… Remarks

Enter system view

system-view

—

Enable ARP source suppression

arp

source-suppression

enable

Required

Disabled by

default

Set the maximum number of packets

with the same source IP address but

unresolvable destination IP

addresses that the device can receive

in five consecutive seconds

arp

source-suppression

limit limit-value

Optional

10 by default

1.5 Configuring ARP Defense Against IP Packet Attack

1.5.1 Introduction to ARP Defense Against IP Packet Attack

In forwarding an IPv4 packet, a device depends on ARP to resolve the MAC address of

the next hop. If the address resolution is successful, the forwarding chip forwards the

packet directly. Otherwise, the device runs software for further processing. When large

amounts of IP packets for which ARP cannot resolve the IP addresses of the next hops

arrive at a device, the software on the device will be called again and again and the

CPU of the device will be overburdened. This is called IP packet attack.

To protect a device against IP packet attack, you can configure the ARP defense

against IP packet attack function. After receiving an IP packet with the IP address of the

Operation Manual – ARP

H3C S9500 Series Routing Switches Chapter 1 ARP Configuration

1-9

next hop unreachable (an IP packet that ARP cannot resolve the MAC address of the

next hop), a device with this function creates a black hole route immediately and the

forwarding chip simply drops all packets to the address. Note that a black hole route

can get aged, in which case a subsequent IP packet with the same next hop triggers the

above process. This protects the device against the IP packet attack efficiently,

reducing the load of the CPU.

1.5.2 Enabling ARP Defense Against IP Packet Attack

The ARP defense against IP packet attack function works for forwarded packets and

those originated by the device.

Follow these steps to configure ARP defense against IP packet attack:

To do… Use the command… Remarks

Enter system view

system-view

—

Enable ARP defense

against IP packet attack

arp resolving-route

enable

Optional

Enabled by default

1.6 Configuring ARP Active Acknowledgement

1.6.1 Introduction

Typically, the ARP active acknowledgement feature is configured on gateway devices

to identify invalid ARP packets.

With this feature enabled, the gateway, upon receiving an ARP packet with a different

source MAC address from that in the corresponding ARP entry, checks whether the

ARP entry has been updated within the last minute:

z If yes, the gateway ignores the ARP packet;

z If not, the gateway sends a unicast request to the source MAC address of the ARP

entry.

Then,

z If a response is received within five seconds, the ARP packet is ignored;

z If no response is received, the gateway sends a unicast request to the MAC

address of the ARP packet.

Then,

z If a response is received within five seconds, the gateway updates the ARP entry;

z If not, the ARP entry is not updated.

1.6.2 Configuring the ARP Active Acknowledgement Function

Follow these steps to configure ARP active acknowledgement:

Operation Manual – ARP

H3C S9500 Series Routing Switches Chapter 1 ARP Configuration

1-10

To do… Use the command… Remarks

Enter system view

system-view

—

Enable the ARP active

acknowledgement

function

arp anti-attack

active-ack enable

Required

Disabled by default.

1.7 Configuring ARP Packet Source MAC Address

Consistency Check

1.7.1 Introduction

This feature enables the device to filter out ARP packets with the source MAC address

in the Ethernet header different from the sender MAC address in the ARP message.

1.7.2 Configuring ARP Packet Source MAC Address Consistency Check

Follow these steps to enable ARP packet source MAC address consistency check:

To do… Use the command… Remarks

Enter system view

system-view

—

Enable ARP packet source MAC

address consistency check

arp anti-attack

valid-check enable

Required

Disabled by default.

1.8 Displaying and Maintaining ARP

To do… Use the command… Remarks

Display the ARP entries in

the ARP mapping table

display arp { { all | dynamic |

static } [ slot slot-id ] | vlan

vlan-id | interface interface-type

interface-number } [ [ verbose ]

[ | { begin | exclude | include }

text ] | count ]

Available in any

view

Display the ARP entries

for a specified IP address

display arp ip-address [ slot

slot-id ] [ verbose ] [ | { begin |

exclude | include } text ]

Available in any

view

Display the ARP entries

for a specified VPN

instance

display arp vpn-instance

vpn-instance-name [ | { begin |

exclude | include } text | count ]

Available in any

view

Display the aging time for

dynamic ARP entries

display arp timer aging

Available in any

view

Operation Manual – ARP

H3C S9500 Series Routing Switches Chapter 1 ARP Configuration

1-11

To do… Use the command… Remarks

Display the configuration

information of ARP source

suppression

display arp

source-suppression

Available in any

view

Clear ARP entries from

the ARP mapping table

reset arp { all | dynamic | static

| slot slot-id | interface

interface-type interface-number }

Available in user

view

Page is loading ...

H3C S9500 Series Operating instructions

H3C S9500 Series Operating instructions

Related papers

Other documents