set arpinspection filter
23-22 DHCP Snooping and Dynamic ARP Inspection
Defaults
Rate = 15 packets per second
Burst Interval = 1 second
Mode
Switch command, read-write.
Usage
To protect the switch against DHCP attacks when DAI is enabled, the DAI application enforces a
rate limit for ARP packets received on untrusted interfaces. DAI monitors the receive rate on each
interface separately. If the receive rate exceeds the limit configured with this command, DAI
disables the interface, which effectively brings down the interface. You can use the set port enable
command to reenable the port.
You can configure both the rate and the burst interval. The default rate is 15 pps on each untrusted
interface with a range of 0 to 50 pps. The default burst interval is 1 second with a range to 1 to 15
seconds.. The rate limit cannot be set on trusted interfaces since ARP packets received on trusted
interfaces do not come to the CPU.
Example
This example sets the rate to 20 packets per second and the burst interval to 2 seconds on ports
ge.1.1 and ge.1.2.
C3(su)->set arpinspection limit port ge.1.1-2 rate 20 burst interval 2
set arpinspection filter
Use this command to create an ARP ACL and then to assign an ACL to a VLAN, optionally as a
static mapping.
Syntax
set arpinspection filter name {permit ip host sender-ipaddr mac host
sender-macaddr | vlan vlan-range [static]}
Parameters
Defaults
None.
name Specifies the name of the ARP ACL.
permit Specifies that a permit rule is being created.
ip host sender-ipaddr Specifies the IP address in the rule being created.
mac host
sender-macaddr
Specifies the MAC address in the rule being created.
vlan vlan-range Specifies the VLAN or VLANs to which this ARP ACL is assigned.
static (Optional) Specifies that this ARP ACL configures static mappings for
the VLAN or VLANs.
To Next Page
Loading...
Need help?
General