2-247
Catalyst 3750-X and 3560-X Switch Command Reference
OL-29704-01
Chapter 2 Catalyst 3750-X and 3560-X Switch Cisco IOS Commands
ip arp inspection limit
ip arp inspection limit
Use the ip arp inspection limit interface configuration command on the switch stack or on a standalone
switch to limit the rate of incoming Address Resolution Protocol (ARP) requests and responses on an
interface. It prevents dynamic ARP inspection from using all of the switch resources if a
denial-of-service attack occurs. Use the no form of this command to return to the default settings.
ip arp inspection limit {rate pps [burst interval seconds] | none}
no ip arp inspection limit
Syntax Description
Defaults The rate is 15 pps on untrusted interfaces, assuming that the network is a switched network with a host
connecting to as many as 15 new hosts per second.
The rate is unlimited on all trusted interfaces.
The burst interval is 1 second.
Command Modes Interface configuration
Command History
Usage Guidelines The rate applies to both trusted and untrusted interfaces. Configure appropriate rates on trunks to process
packets across multiple dynamic ARP inspection-enabled VLANs, or use the none keyword to make the
rate unlimited.
After a switch receives more than the configured rate of packets every second consecutively over a
number of burst seconds, the interface is placed into an error-disabled state.
Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also
changes its rate limit to the default value for that trust state. After you configure the rate limit, the
interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection
limit interface configuration command, the interface reverts to its default rate limit.
You should configure trunk ports with higher rates to reflect their aggregation. When the rate of
incoming packets exceeds the user-configured rate, the switch places the interface into an error-disabled
state. The error-disabled recovery feature automatically removes the port from the error-disabled state
according to the recovery setting.
rate pps Specify an upper limit for the number of incoming packets processed per
second. The range is 0 to 2048 packets per second (pps).
burst interval seconds (Optional) Specify the consecutive interval in seconds, over which the
interface is monitored for a high rate of ARP packets.The range is 1 to 15
seconds.
none Specify no upper limit for the rate of incoming ARP packets that can be
processed.
Release Modification
12.2(53)SE2 This command was introduced.
To Next Page
Loading...
Need help?
General
