set arpinspection limit
Enterasys B5 CLI Reference 17-23
Example
ThisexampleaddstheoptionalverificationthatsenderMACaddressesarethesameasthesource
MACaddressesintheEthernetheadersofARPpackets.
B5(su)->set arpinspection validate src-mac
set arpinspection limit
UsethiscommandtoconfigureratelimitingparametersforincomingARPpacketsonaportor
ports
Syntax
set arpinspection limit port port-string {none | rate pps {burst interval secs]}
Parameters
Defaults
Rate=15packetspersecond
BurstInterval=1second
Mode
Switchcommand,read‐write.
Usage
ToprotecttheswitchagainstDHCPattackswhenDAIisenabled,theDAIapplicationenforcesa
ratelimitforARPpacketsreceivedonuntrustedinterfaces.DAImonitorsthereceiverateoneach
interfaceseparately.Ifthereceiverateexceedsthelimitconfiguredwiththiscommand,DAI
disablestheinterface,whicheffectively
bringsdowntheinterface.Youcanusethesetportenable
commandtoreenabletheport.
Youcanconfigureboththerateandtheburstinterval.Thedefaultrateis15ppsoneachuntrusted
interfacewitharangeof0to50pps.Thedefaultburstintervalis1
secondwitharangeto1to15
seconds..TheratelimitcannotbesetontrustedinterfacessinceARPpacketsreceivedontrusted
interfacesdonotcometotheCPU.
Example
Thisexamplesetstherateto20packetspersecondandtheburstintervalto2secondsonports
ge.1.1andge.1.2.
B5(su)->set arpinspection limit port ge.1.1-2 rate 20 burst interval 2
port‐string Specifiestheportorportstowhichtoapplytheseratelimiting
parameters.
none ConfiguresnolimitonincomingARPpackets.
ratepps Specifiesaratelimitinpacketspersecond.Thevalueofppscanrange
from0to50packetspersecond.
burstintervalsecs Specifiesaburstintervalin
seconds.Thevalueofsecscanrangefrom1
to15seconds.
To Next Page
Loading...
General