408
Configuring Dynamic ARP Inspection
Information About Dynamic ARP Inspection
ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs only if you
configure them by using the ip arp inspection filter vlan global configuration command. The switch first compares ARP
packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if
a valid binding exists in the database populated by DHCP snooping.
Logging of Dropped Packets
When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a
rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry
contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and
the source and destination MAC addresses.
You use the ip arp inspection log-buffer global configuration command to configure the number of entries in the buffer
and the number of entries needed in the specified interval to generate system messages. You specify the type of packets
that are logged by using the ip arp inspection vlan logging global configuration command.
A log-buffer entry can represent more than one packet. For example, if an interface receives many packets on the same
VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a
single system message for the entry.
If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp
inspection log privileged EXEC command is affected. Dashes in the display appears in place of all data except the packet
count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number
of entries in the log buffer or increase the logging rate.
Default Dynamic ARP Inspection Settings
Dynamic ARP Inspection Configuration Guidelines
DAI is an ingress security feature; it does not perform any egress checking.
Feature Default Setting
DAI Disabled on all VLANs.
Interface trust state All interfaces are untrusted.
Rate limit of incoming ARP packets The rate is 15 pps on untrusted interfaces, assuming that the
network is a switched network with a host connecting to as many
as 15 new hosts per second.
The rate is unlimited on all trusted interfaces.
The burst interval is 1 second.
ARP ACLs for non-DHCP environments No ARP ACLs are defined.
Validation checks No checks are performed.
Log buffer When DAI is enabled, all denied or dropped ARP packets are
logged.
The number of entries in the log is 32.
The number of system messages is limited to 5 per second.
The logging-rate interval is 1 second.
Per-VLAN logging All denied or dropped ARP packets are logged.
To Next Page
Loading...
Need help?
General