Enterasys b5

To Next Page

To Previous Page

set arpinspection limit

Enterasys B5 CLI Reference 17-23

Example

ThisexampleaddstheoptionalverificationthatsenderMACaddressesarethesameasthesource

MACaddressesintheEthernetheadersofARPpackets.

B5(su)->set arpinspection validate src-mac

set arpinspection limit

UsethiscommandtoconfigureratelimitingparametersforincomingARPpacketsonaportor

ports

Syntax

set arpinspection limit port port-string {none | rate pps {burst interval secs]}

Parameters

Defaults

Rate=15packetspersecond

BurstInterval=1second

Mode

Switchcommand,read‐write.

Usage

ToprotecttheswitchagainstDHCPattackswhenDAIisenabled,theDAIapplicationenforcesa

ratelimitforARPpacketsreceivedonuntrustedinterfaces.DAImonitorsthereceiverateoneach

interfaceseparately.Ifthereceiverateexceedsthelimitconfiguredwiththiscommand,DAI

disablestheinterface,whicheffectively

bringsdowntheinterface.Youcanusethesetportenable

commandtoreenabletheport.

Youcanconfigureboththerateandtheburstinterval.Thedefaultrateis15ppsoneachuntrusted

interfacewitharangeof0to50pps.Thedefaultburstintervalis1

secondwitharangeto1to15

seconds..TheratelimitcannotbesetontrustedinterfacessinceARPpacketsreceivedontrusted

interfacesdonotcometotheCPU.

Example

Thisexamplesetstherateto20packetspersecondandtheburstintervalto2secondsonports

ge.1.1andge.1.2.

B5(su)->set arpinspection limit port ge.1.1-2 rate 20 burst interval 2

port‐string Specifiestheportorportstowhichtoapplytheseratelimiting

parameters.

none ConfiguresnolimitonincomingARPpackets.

ratepps Specifiesaratelimitinpacketspersecond.Thevalueofppscanrange

from0to50packetspersecond.

burstintervalsecs Specifiesaburstintervalin

seconds.Thevalueofsecscanrangefrom1

to15seconds.