2-113
Catalyst4500 Series SwitchCiscoIOS Command Reference—Release 12.2(18)EW
78-16201-01
Chapter2Cisco IOS Commands for the Catalyst 4500 Series Switches
ip arp inspection limit (interface)
ip arp inspection limit (interface)
To limit the rate of incoming ARP requests and responses on an interface and prevent DAI from
consuming all of the system’s resources in event of a DOS attack, use the ip arp inspection limit
command. Use the no form of this command to release the limit.
ip arp inspection limit {rate pps | none} [burst interval seconds]
no ip arp inspection limit
Syntax Description
Defaults The rate is set to 15 packets per second on untrusted interfaces, assuming that the network is a switched
network with a host connecting to as many as 15 new hosts per second.
The rate is unlimited on all trusted interfaces.
Burst interval is set to 1 second by default.
Command Modes Interface
Command History
Usage Guidelines Trunk ports should be configured with higher rates to reflect their aggregation. When the rate of
incoming packets exceeds the user-configured rate, the interface is placed into an error-disabled state.
The error-disable timeout feature can be used to remove the port from the error-disabled state. The rate
applies to both trusted and nontrusted interfaces. Configure appropriate rates on trunks to handle packets
across multiple DAI-enabled VLANs or use the none keyword to make the rate unlimited.
The rate of incoming ARP packets on channel ports is equal to the sum of the incoming rate of packets
from all the channel members. Configure the rate limit for channel ports only after examining the rate
of incoming ARP packets on the channel members.
After a switch receives more than the configured rate of packets every second consecutively over a period
of burst seconds, the interface is placed into an error-disabled state.
rate pps Specifies an upper limit on the number of incoming packets processed per
second. The rate can range from 1 to 10000.
none Specifies no upper limit on the rate of incoming ARP packets that can be
processed.
burst interval seconds (Optional) Specifies the consecutive interval in seconds, over which the
interface is monitored for high rate of ARP packets. The interval is
configurable from 1 to 15 seconds.
Release Modification
12.1(19)EW Support for this command was introduced on the Catalyst 4500 series switch.
12.1(20)EW Added support for interface monitoring.
To Next Page
Loading...
Need help?
General
