Relative Priority Of Arp Acls And Dhcp Snooping Entries; Logging Of Dropped Packets; Default Dynamic Arp Inspection Configuration - Cisco Catalyst 2960-X Security Configuration Manual
Cisco ios release 15.0(2)ex
Hide thumbs
Also See for Catalyst 2960-X:
- Command reference manual (135 pages) ,
- Hardware installation manual (34 pages) ,
- Getting started manual (25 pages)
Table of Contents
Advertisement
Relative Priority of ARP ACLs and DHCP Snooping Entries
The rate limit for an EtherChannel is applied separately to each switch in a stack. For example, if a limit
Note
of 20 pps is configured on the EtherChannel, each switch with ports in the EtherChannel can carry up to
20 pps. If any switch exceeds the limit, the entire EtherChannel is placed into the error-disabled state.
Relative Priority of ARP ACLs and DHCP Snooping Entries
Dynamic ARP inspection uses the DHCP snooping binding database for the list of valid IP-to-MAC address
bindings.
ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs only
if you configure them by using the ip arp inspection filter vlan global configuration command. The switch
first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the
switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping.
Logging of Dropped Packets
When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a
rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log
entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP
addresses, and the source and destination MAC addresses.
You use the ip arp inspection log-buffer global configuration command to configure the number of entries
in the buffer and the number of entries needed in the specified interval to generate system messages. You
specify the type of packets that are logged by using the ip arp inspection vlan logging global configuration
command.
Default Dynamic ARP Inspection Configuration
Feature
Dynamic ARP inspection
Interface trust state
Rate limit of incoming ARP packets
ARP ACLs for non-DHCP environments
Validation checks
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
248
Configuring Dynamic ARP Inspection
Default Settings
Disabled on all VLANs.
All interfaces are untrusted.
The rate is 15 pps on untrusted interfaces, assuming
that the network is a switched network with a host
connecting to as many as 15 new hosts per second.
The rate is unlimited on all trusted interfaces.
The burst interval is 1 second.
No ARP ACLs are defined.
No checks are performed.
OL-29048-01
Hide quick links:
Advertisement
Table of Contents
