Cisco Systems WSC4500X16SFP Manual De Usuario
32-16
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter 32 Understanding and Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
Limiting the Rate of Incoming ARP Packets
The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of
incoming ARP packets is rate-limited to prevent a denial-of-service attack.
incoming ARP packets is rate-limited to prevent a denial-of-service attack.
When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the
error-disabled state. The port remains in that state until you intervene or you enable error-disable
recovery so that ports automatically emerge from this state after a specified timeout period.
error-disabled state. The port remains in that state until you intervene or you enable error-disable
recovery so that ports automatically emerge from this state after a specified timeout period.
Note
Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also
changes its rate limit to the default value for that trust state. After you configure the rate limit, the
interface retains the rate limit even when its trust state is changed. If you enter the
no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit.
changes its rate limit to the default value for that trust state. After you configure the rate limit, the
interface retains the rate limit even when its trust state is changed. If you enter the
no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit.
To limit the rate of incoming ARP packets, perform this task beginning in privileged EXEC mode.
Command
Purpose
Step 1
Switch# configure terminal
Enters global configuration mode.
Step 2
Switch(config)#
interface
interface-id
Specifies the interface to be rate-limited, and enter interface
configuration mode.
configuration mode.
Step 3
Switch(config-if)# [no] ip arp
inspection limit
{
rate
pps
[
burst
interval
seconds] |
none
}
Limits the rate of incoming ARP requests and responses on the
interface.
interface.
The default rate is 15 pps on untrusted interfaces and unlimited on
trusted interfaces. The burst interval is 1 second.
trusted interfaces. The burst interval is 1 second.
The keywords have these meanings:
•
For rate pps, specify an upper limit for the number of incoming
packets processed per second. The range is 0 to 2048 pps.
packets processed per second. The range is 0 to 2048 pps.
•
(Optional) For burst interval seconds, specify the consecutive
interval in seconds, over which the interface is monitored for a high
rate of ARP packets.The range is 1 to 15.
interval in seconds, over which the interface is monitored for a high
rate of ARP packets.The range is 1 to 15.
•
For rate none, specify no upper limit for the rate of incoming ARP
packets that can be processed.
packets that can be processed.
Step 4
Switch(config-if)# exit
Returns to global configuration mode.
Step 5
Switch(config)# errdisable recovery
{
cause arp-inspection
|
interval
interval}
(Optional) Enables error recovery from the dynamic ARP inspection
error-disable state.
error-disable state.
By default, recovery is disabled, and the recovery interval is 300
seconds.
seconds.
For interval interval, specify the time in seconds to recover from the
error-disable state. The range is 30 to 86400.
error-disable state. The range is 30 to 86400.
Step 6
Switch(config)# exit
Returns to privileged EXEC mode.
Step 7
Switch# show ip arp inspection
interfaces
Verifies your settings.
Step 8
Switch# show errdisable recovery
Verifies your settings.
Step 9
Switch# copy running-config
startup-config
(Optional) Saves your entries in the configuration file.