ARP throttle operation

Source-MAC based ARP attack detection (ARP throttle) protects the switch CPU from ARP attacks by enabling restriction of the overall number of ARP packets the CPU receives from a given client. An ARP attack occurs when the switch receives more ARP packets from the same source MAC address than allowed by the configured threshold setting. ARP throttle uses a “remediation mode” to determine whether to simply monitor the frequency of ARP packets or actually restrict the ARP packet traffic from a given client. In cases where a device in your network is sending a large quantity of ARP packets for legitimate purposes, you can configure ARP throttling to exclude that device from being monitored.

When enabled in the default configuration, ARP throttle:
  • monitors incoming ARP packets and “blacklists” clients sending excessive ARP packets to the switch

  • maintains a count of clients sending ARP packets to the switch

When configured to filter ARP packet traffic, ARP throttle monitors ARP packet traffic as described above, and also drops ARP packets received from blacklisted clients.

Non-default ARP throttle settings persist when ARP throttle is disabled.