Study Notes for HCIE Exam on "Security Features" Part-3

Rate limit of ARP Miss messages:


If a user on the network sends a large number of IP packets whose destination IP address cannot be resolved to the device (that is, there is a routing table entry corresponding to the destination IP of the IP packet in the routing table, but there is no next-hop corresponding to the routing table entry on the device ARP entries), the device will trigger a large number of ARP Miss messages. This kind of IP packets that trigger ARP Miss messages (that is, ARP Miss packets) will be sent to the CPU for processing. The device will generate and deliver a large number of temporary ARP entries based on the ARP Miss messages and send a large number of ARP request packets to the destination network. This will increase the burden on the device’s CPU and also seriously consume the bandwidth resources of the destination network.

Hashtags: #Huawei #HuaweiCertification #HCIE #HCIESecurityFeatures #HCIEcertification

To avoid the harm caused by such IP packet attacks, the device provides the following types of rate-limiting functions for ARP Miss messages:

  1. Limit the rate of ARP Miss messages based on the source IP address.

  2. The rate limit for ARP Miss messages in the global, VLAN, and interface.

  3. Control the trigger frequency of ARP Miss messages by setting the aging time of temporary ARP entries.

  4. Limit the rate of ARP Miss messages based on the source IP address.


When the device detects that the number of ARP Miss messages triggered by IP packets from a certain source IP address within 1 second exceeds the ARP Miss message rate limit, it considers that the source IP address has an attack.


At this time, if the device processes ARP Miss packets in block mode, the device will discard the ARP Miss messages that exceed the rate limit, that is, discard the ARP Miss packets that trigger these ARP Miss messages, and issue an ACL to discard all subsequent ARP Miss messages of this source IP address. If it is in none-block mode, the device will only discard the ARP Miss messages that exceed the rate limit through software rate limiting, that is, discard the ARP Miss packets that trigger these ARP Miss messages.


If an IP address is specified, the rate of ARP Miss messages with the specified source IP address is limited based on the rate limit; if no IP address is specified, the rate of ARP Miss messages for each IP address is limited based on the rate limit.

① ARP Miss message speed limit targeted at global, VLAN, and interface:

The device supports the configuration of ARP Miss message speed limit under global, VLAN, and interface. The effective order is interfaced first, VLAN second, and global last.

② Speed limit for ARP Miss messages at the global level:

When the device has an IP packet attack that cannot be resolved by the target IP address, limit the number of ARP Miss messages processed globally.


③ Limiting the rate of ARP Miss messages in a VLAN:

When an IP packet attack with a target IP address that cannot be resolved occurs on all interfaces in a VLAN, the number of ARP Miss messages triggered by processing packets in the VLAN is limited. Configuring this function can ensure that the forwarding of IP packets on all interfaces in other VLANs is not affected.


④ Limiting the rate of ARP Miss messages on an interface:

When an IP packet attack with an unresolvable target IP address occurs on an interface, the number of ARP Miss messages triggered by the processing of the packets received on the interface is limited. Configuring this function can ensure that the IP packet forwarding of other interfaces is not affected.


⑤Control the trigger frequency of ARP Miss messages by setting the aging time of temporary ARP entries:

When an IP packet triggers an ARP Miss message, the device generates a temporary ARP entry based on the ARP Miss message and sends an ARP request packet to the destination network segment.


  • Before the device receives the ARP reply packet, the IP packet matching the temporary ARP entry will be discarded and the ARP Miss message will not be triggered.

  • After receiving the ARP response message, the device generates a correct ARP entry to replace the temporary ARP entry.

  • When the aging time expires, the device will clear temporary ARP entries. At this time, if the IP packet forwarded by the device fails to match the corresponding ARP entry, the ARP Miss message is triggered again and a temporary ARP entry is generated, and the cycle repeats.

  • When it is judged that the device is under attack, you can increase the aging time of temporary ARP entries and reduce the trigger frequency of device ARP Miss messages, thereby reducing the impact of the attack on the device.


Check out part 1 and part 2 of this article: Study Notes for HCIE Exam on "Security Features" Part-1

Study Notes for HCIE Exam on "Security Features" Part-2

About

Launched in 2016 as 591Lab International and locally in China known as “WUQIUYAO Tech. Ltd” we are committed to offering our clients excellent experience on ISACA, PMI, Cisco and Huawei examination preparatory services. We focus strongly on popular exams, and exam preparations services. We provide our customers with the complete training needed to earn the best scores for their respective Management and IT career certifications. We have a huge list of satisfied customers with top grades to back up all the claims we make.

Quick Links

Contact

This material is not sponsored by, endorsed by, or affiliated with Cisco Systems, Inc & Huawei Technologies Co., Ltd. Cisco Certified Internetworking Engineer, the Cisco Systems logo and the CCIE™ logo are trademarks or registered trademarks of Cisco Systems, Inc. in the United States and certain other countries.Huawei Certified Internetwork Expert, the Huawei logo and the HCIE™ logo are trademarks or registered trademarks of Huawei Technologies Co., Ltd . in China and certain other countries All other trademarks are trademarks of their respective owners. 

© Copyright 591Lab 2020. All Rights Reserved.