Cisco Systems 3560 사용자 설명서
22-11
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 22 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the
Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This
procedure is optional.
procedure is optional.
To return to the default rate-limit configuration, use the no ip arp inspection limit interface
configuration command. To disable error recovery for dynamic ARP inspection, use the no errdisable
recovery cause arp-inspection global configuration command.
configuration command. To disable error recovery for dynamic ARP inspection, use the no errdisable
recovery cause arp-inspection global configuration command.
Performing Validation Checks
Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address
bindings. You can configure the switch to perform additional checks on the destination MAC address,
the sender and target IP addresses, and the source MAC address.
bindings. You can configure the switch to perform additional checks on the destination MAC address,
the sender and target IP addresses, and the source MAC address.
Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP
packets. This procedure is optional.
packets. This procedure is optional.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Specify the interface to be rate-limited, and enter interface
configuration mode.
configuration mode.
Step 3
ip arp inspection limit {rate pps [burst
interval seconds] | none}
interval seconds] | none}
Limit the rate of incoming ARP requests and responses on the interface.
The default rate is 15 pps on untrusted interfaces and unlimited on
trusted interfaces. The burst interval is 1 second.
trusted interfaces. The burst interval is 1 second.
The keywords have these meanings:
•
For rate pps, specify an upper limit for the number of incoming
packets processed per second. The range is 0 to 2048 pps.
packets processed per second. The range is 0 to 2048 pps.
•
(Optional) For burst interval seconds, specify the consecutive
interval in seconds, over which the interface is monitored for a high
rate of ARP packets.The range is 1 to 15.
interval in seconds, over which the interface is monitored for a high
rate of ARP packets.The range is 1 to 15.
•
For rate none, specify no upper limit for the rate of incoming ARP
packets that can be processed.
packets that can be processed.
Step 4
exit
Return to global configuration mode.
Step 5
errdisable recovery cause
arp-inspection interval interval
arp-inspection interval interval
(Optional) Enable error recovery from the dynamic ARP inspection
error-disable state.
error-disable state.
By default, recovery is disabled, and the recovery interval is 300
seconds.
seconds.
For interval interval, specify the time in seconds to recover from the
error-disable state. The range is 30 to 86400.
error-disable state. The range is 30 to 86400.
Step 6
exit
Return to privileged EXEC mode.
Step 7
show ip arp inspection interfaces
show errdisable recovery
Verify your settings.
Step 8
copy running-config startup-config
(Optional) Save your entries in the configuration file.