Cisco Systems 3130 User Manual
22-4
Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide
OL-13270-01
Chapter 22 Configuring Dynamic ARP Inspection
Understanding Dynamic ARP Inspection
Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running
dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic
ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the
hosts that are connected to a switch running dynamic ARP inspection.
dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic
ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the
hosts that are connected to a switch running dynamic ARP inspection.
In cases in which some switches in a VLAN run dynamic ARP inspection and other switches do not,
configure the interfaces connecting such switches as untrusted. However, to validate the bindings of
packets from nondynamic ARP inspection switches, configure the switch running dynamic ARP
inspection with ARP ACLs. When you cannot determine such bindings, at Layer 3, isolate switches
running dynamic ARP inspection from switches not running dynamic ARP inspection switches. For
configuration information, see the
configure the interfaces connecting such switches as untrusted. However, to validate the bindings of
packets from nondynamic ARP inspection switches, configure the switch running dynamic ARP
inspection with ARP ACLs. When you cannot determine such bindings, at Layer 3, isolate switches
running dynamic ARP inspection from switches not running dynamic ARP inspection switches. For
configuration information, see the
.
Note
Depending on the setup of the DHCP server and the network, it might not be possible to validate a given
ARP packet on all switches in the VLAN.
ARP packet on all switches in the VLAN.
Rate Limiting of ARP Packets
The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of
incoming ARP packets is rate-limited to prevent a denial-of-service attack. By default, the rate for
untrusted interfaces is 15 packets per second (pps). Trusted interfaces are not rate-limited. You can
change this setting by using the ip arp inspection limit interface configuration command.
incoming ARP packets is rate-limited to prevent a denial-of-service attack. By default, the rate for
untrusted interfaces is 15 packets per second (pps). Trusted interfaces are not rate-limited. You can
change this setting by using the ip arp inspection limit interface configuration command.
When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the
error-disabled state. The port remains in that state until you intervene. You can use the errdisable
recovery global configuration command to enable error disable recovery so that ports automatically
emerge from this state after a specified timeout period.
error-disabled state. The port remains in that state until you intervene. You can use the errdisable
recovery global configuration command to enable error disable recovery so that ports automatically
emerge from this state after a specified timeout period.
Note
The rate limit for an EtherChannel is applied separately to each switch in a stack. For example, if a limit
of 20 pps is configured on the EtherChannel, each switch with ports in the EtherChannel can carry up to
20 pps. If any switch exceeds the limit, the entire EtherChannel is placed into the error-disabled state.
of 20 pps is configured on the EtherChannel, each switch with ports in the EtherChannel can carry up to
20 pps. If any switch exceeds the limit, the entire EtherChannel is placed into the error-disabled state.
For configuration information, see the
Relative Priority of ARP ACLs and DHCP Snooping Entries
Dynamic ARP inspection uses the DHCP snooping binding database for the list of valid IP-to-MAC
address bindings.
address bindings.
ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs
only if you configure them by using the ip arp inspection filter vlan global configuration command.
The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP
packet, the switch also denies the packet even if a valid binding exists in the database populated by
DHCP snooping.
only if you configure them by using the ip arp inspection filter vlan global configuration command.
The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP
packet, the switch also denies the packet even if a valid binding exists in the database populated by
DHCP snooping.