2-296
Catalyst 4500 Series Switch Cisco IOS Command Reference—Release IOS XE 3.4.0SG and IOS 15.1(2)SG)
OL-27596 -01
Chapter 2 Cisco IOS Commands for the Catalyst 4500 Series Switches
ip arp inspection limit (interface)
ip arp inspection limit (interface)
To limit the rate of incoming ARP requests and responses on an interface and prevent DAI from
consuming all of the system’s resources in the event of a DoS attack, use the ip arp inspection limit
command. To release the limit, use the no form of this command.
ip arp inspection limit {rate pps | none} [burst interval seconds]
no ip arp inspection limit
Syntax Description
Defaults The rate is set to 15 packets per second on the untrusted interfaces, assuming that the network is a
switched network with a host connecting to as many as 15 new hosts per second.
The rate is unlimited on all the trusted interfaces.
The burst interval is set to 1 second by default.
Command Modes Interface configuration mode
Command History
Usage Guidelines The trunk ports should be configured with higher rates to reflect their aggregation. When the rate of the
incoming packets exceeds the user-configured rate, the interface is placed into an error-disabled state.
The error-disable timeout feature can be used to remove the port from the error-disabled state. The rate
applies to both the trusted and nontrusted interfaces. Configure appropriate rates on trunks to handle the
packets across multiple DAI-enabled VLANs or use the none keyword to make the rate unlimited.
The rate of the incoming ARP packets onthe channel ports is equal to the sum of the incoming rate of
packets from all the channel members. Configure the rate limit for the channel ports only after examining
the rate of the incoming ARP packets on the channel members.
After a switch receives more than the configured rate of packets every second consecutively over a period
of burst seconds, the interface is placed into an error-disabled state.
rate pps Specifies an upper limit on the number of incoming packets processed per
second. The rate can range from 1 to 10000.
none Specifies no upper limit on the rate of the incoming ARP packets that can
be processed.
burst interval seconds (Optional) Specifies the consecutive interval in seconds over which the
interface is monitored for the high rate of the ARP packets. The interval
is configurable from 1 to 15 seconds.
Release Modification
12.1(19)EW Support for this command was introduced on the Catalyst 4500 series switch.
12.1(20)EW Added support for interface monitoring.
To Next Page
Loading...
Need help?
General
