Ip Arp Inspection Limit (Interface) - Cisco Catalyst 4500 Series Command Reference Manual
Cisco ios command reference
Hide thumbs
Also See for Catalyst 4500 Series:
- Software configuration manual (2086 pages) ,
- Administration manual (1814 pages) ,
- Configuration manual (1610 pages)
Table of Contents
Advertisement
ip arp inspection limit (interface)
ip arp inspection limit (interface)
To limit the rate of incoming ARP requests and responses on an interface and prevent DAI from
consuming all of the system's resources in the event of a DoS attack, use the ip arp inspection limit
command. To release the limit, use the no form of this command.
Syntax Description
rate pps
none
burst interval seconds
Defaults
The rate is set to 15 packets per second on the untrusted interfaces, assuming that the network is a
switched network with a host connecting to as many as 15 new hosts per second.
The rate is unlimited on all the trusted interfaces.
The burst interval is set to 1 second by default.
Command Modes
Interface configuration mode
Command History
Release
12.1(19)EW
12.1(20)EW
Usage Guidelines
The trunk ports should be configured with higher rates to reflect their aggregation. When the rate of the
incoming packets exceeds the user-configured rate, the interface is placed into an error-disabled state.
The error-disable timeout feature can be used to remove the port from the error-disabled state. The rate
applies to both the trusted and nontrusted interfaces. Configure appropriate rates on trunks to handle the
packets across multiple DAI-enabled VLANs or use the none keyword to make the rate unlimited.
The rate of the incoming ARP packets onthe channel ports is equal to the sum of the incoming rate of
packets from all the channel members. Configure the rate limit for the channel ports only after examining
the rate of the incoming ARP packets on the channel members.
After a switch receives more than the configured rate of packets every second consecutively over a period
of burst seconds, the interface is placed into an error-disabled state.
Catalyst 4500 Series Switch Cisco IOS Command Reference—Release IOS XE 3.3.0SG and IOS 15.1(1)SG)
2-278
ip arp inspection limit {rate pps | none} [burst interval seconds]
no ip arp inspection limit
Specifies an upper limit on the number of incoming packets processed per
second. The rate can range from 1 to 10000.
Specifies no upper limit on the rate of the incoming ARP packets that can
be processed.
(Optional) Specifies the consecutive interval in seconds over which the
interface is monitored for the high rate of the ARP packets. The interval
is configurable from 1 to 15 seconds.
Modification
Support for this command was introduced on the Catalyst 4500 series switch.
Added support for interface monitoring.
Chapter 2
Cisco IOS Commands for the Catalyst 4500 Series Switches
OL-25342 -01
Advertisement
Chapters
Table of Contents
