Limiting The Rate Of Incoming Arp Packets - Cisco Catalyst 4500 Series Configuration Manual
Release ios xe 3.3.0sg and ios 15.1(1)sg
Hide thumbs
Also See for Catalyst 4500 Series:
- Software configuration manual (2086 pages) ,
- Administration manual (1814 pages) ,
- Configuration manual (1254 pages)
Table of Contents
Advertisement
Configuring Dynamic ARP Inspection
Command
Step 5
Switch# show ip arp inspection
log
Step 6
Switch# copy running-config
startup-config
To return to the default log buffer settings, use the no ip arp inspection log-buffer global configuration
command. To return to the default VLAN log settings, use the
no ip arp inspection vlan vlan-range logging {acl-match | dhcp-bindings} global configuration
command. To clear the log buffer, use the clear ip arp inspection log privileged EXEC command.
This example shows how to configure the number of entries for the log buffer to 1024. It also shows how
to configure your Catalyst 4500 series switch so that the logs must be generated from the buffer at the
rate of 100 per 10 seconds.
SwitchB# configure terminal
Enter configuration commands, one per line.
SwitchB(config)# ip arp inspection log-buffer entries 1024
SwitchB(config)# ip arp inspection log-buffer logs 100 interval 10
SwitchB(config)# end
SwitchB# show ip arp inspection log
Total Log Buffer Size : 1024
Syslog rate : 100 entries per 10 seconds.
Interface
----------
Gi3/31
Fri Feb 4 2005
SwitchB#
Limiting the Rate of Incoming ARP Packets
The switch CPU performs DAI validation checks; therefore, the number of incoming ARP packets is
rate-limited to prevent a denial-of-service attack.
Note
Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also
changes its rate limit to the default value for that trust state. After you configure the rate limit, the
interface retains the rate limit even when its trust state is changed. If you enter the
no ip arp-inspection limit interface configuration command, the interface reverts to its default rate
limit.
By default, the switch places the port in the error-disabled state when the rate of incoming ARP packets
exceeds the configured limit. To prevent the port from shutting down, you can use the errdisable detect
cause arp-inspection action shutdown vlan global configuration command to shut down just the
offending VLAN on the port where the violation occurred.
When a port is in the error-disabled state, you can bring it out of this state automatically by configuring
the errdisable recovery cause arp-inspection global configuration command or you can manually
reenable it by entering the shutdown and no shut down interface configuration commands. If a port is
in per-VLAN error-disable mode, you can also use clear errdisable interface name vlan range
command to reenable the VLAN on the port.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
49-16
Purpose
Verifies your settings.
(Optional) Saves your entries in the configuration file.
Vlan
Sender MAC
Sender IP
----
--------------
---------------
100
0002.0002.0003
170.1.1.2
Chapter 49
Configuring Dynamic ARP Inspection
End with CNTL/Z.
Num Pkts
Reason
---------
-----------
5
DHCP Deny
Time
----
02:05:45 UTC
OL-25340-01
- Quick Links:
- Resetting a Switch to Factory Default...
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
