52-17
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 52 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
To limit the rate of incoming ARP packets, perform this task:
To return to the default rate-limit configuration, use the no ip arp inspection limit interface
configuration command. To disable error recovery for DAI, use the no errdisable recovery cause
arp-inspection global configuration command.
This example shows how to set an upper limit for the number of incoming packets (100 pps) and to
specify a burst interval (1 second):
SwitchB# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchB(config)# interface g3/31
SwitchB(config-if)# ip arp inspection limit rate 100 burst interval 1
SwitchB(config-if)# exit
SwitchB(config)# errdisable recovery cause arp-inspection
SwitchB(config)# exit
Command Purpose
Step 1
Switch# configure terminal
Enters global configuration mode.
Step 2
Switch(config)# errdisable detect
cause
arp-inspection [action shutdown
vlan
]
Enables per-VLAN error-disable detection.
Note By default this command is enabled, and when a violation
occurs the interface is shutdown.
Step 3
Switch(config)# interface
interface-id
Specifies the interface to be rate-limited, and enters interface
configuration mode.
Step 4
Switch(config-if)# [no] ip arp
inspection limit
{rate pps [burst
interval
second] | none}
Limits the rate of incoming ARP requests and responses on the
interface.
The default rate is 15 pps on untrusted interfaces and unlimited on
trusted interfaces. The burst interval is 1 second.
The keywords have these meanings:
• For rate pps, specify an upper limit for the number of incoming
packets processed per second. The range is 0 to 2048 pps.
• (Optional) For burst interval seconds, specify the consecutive
interval in seconds, over which the interface is monitored for a high
rate of ARP packets.The range is 1 to 15.
• For rate none, specify no upper limit for the rate of incoming ARP
packets that can be processed.
Step 5
Switch(config-if)# exit
Returns to global configuration mode.
Step 6
Switch(config)# errdisable recovery
{cause arp-inspection |
interval
interval}
(Optional) Enables error recovery from the DAI error-disable state.
By default, recovery is disabled, and the recovery interval is 300
seconds.
For interval interval, specify the time in seconds to recover from the
error-disable state. The range is 30 to 86400.
Step 7
Switch(config)# exit
Returns to privileged EXEC mode.
Step 8
Switch# show ip arp inspection
interfaces
Verifies your settings.
Step 9
Switch# show errdisable recovery
Verifies your settings.
Step 10
Switch# copy running-config
startup-config
(Optional) Saves your entries in the configuration file.
To Next Page
Loading...
