S9700 auto-defend白名单不生效

S9700（任意版本）集群后作为网关设备， 下挂业务网段由于安装特殊软件，会周期性发送大量arp-request请求，要求设备对该ip段（10.2.0.0/16）所有终端的arp请求不做限制，基于该网段配置cpu-defend策略白名单，并应用在对应接口板上后，白名单不生效，arp-request仍然有被丢弃导致业务不通的现象
#
acl number 2001
rule 5 permit source 10.2.0.0 0.0.255.255
#
cpu-defend policy 2
whitelist 1 acl 2001
auto-defend whitelist 1 interface XGigabitEthernet1/3/0/14
auto-defend whitelist 1 interface XGigabitEthernet1/3/0/15
auto-defend whitelist 1 interface XGigabitEthernet2/3/0/14
auto-defend whitelist 1 interface XGigabitEthernet2/3/0/15
#
slot 1/3
cpu-defend-policy 2
#
slot 2/3
cpu-defend-policy 2
#

Dec 14 2016 19:22:48 office_core %%01SECE/4/PORT_ATTACK_OCCUR(l)[12]:Auto port-defend started.(SourceAttackInterface=XGigabitEthernet2/3/0/14, AttackProtocol=ARP-REQUEST)
Dec 14 2016 19:21:38 office_core %%01SECE/4/PORT_ATTACK_OCCUR(l)[13]:Auto port-defend started.(SourceAttackInterface=XGigabitEthernet1/3/0/14, AttackProtocol=ARP-REQUEST)
Dec 14 2016 19:20:28 office_core %%01SECE/4/PORT_ATTACK_OCCUR(l)[14]:Auto port-defend started.(SourceAttackInterface=GigabitEthernet1/4/0/36, AttackProtocol=ARP-REQUEST)
Dec 14 2016 19:08:39 office_core %%01SECE/4/PORT_ATTACK_OCCUR(l)[15]:Auto port-defend started.(SourceAttackInterface=XGigabitEthernet1/3/0/14, AttackProtocol=ARP-REQUEST)
Dec 14 2016 19:02:58 office_core %%01SECE/4/PORT_ATTACK_OCCUR(l)[16]:Auto port-defend started.(SourceAttackInterface=XGigabitEthernet2/3/0/14, AttackProtocol=ARP-REQUEST)

arp安全防御除了业务单板上的阀值限制，主控板层面也会有限制，当前只对业务单板做了白名单，全局为限制，导致超过全局默认cpcar阀值被丢弃
当前需要全局应用安全防御白名单：
#
cpu-defend-policy 2
#
调用后问题解决

主控板安全防御机制导致

全局下调用cpu-defend-policy，应用白名单

配置安全防御白名单有cpu冲高的风险，谨慎配置