Relative Priority Of Arp Acls And Dhcp Snooping Entries; Configuring Arp Acls For Non-Dhcp Environments - Cisco Catalyst 2960-XR Security Configuration Manual

Relative Priority of ARP ACLs and DHCP Snooping Entries

• The operating rate for the port channel is cumulative across all the physical ports within the channel.
• The rate limit is calculated separately on each switch in a switch stack. For a cross-stack EtherChannel,
• The operating rate for the port channel is cumulative across all the physical ports within the channel.
• Make sure to limit the rate of ARP packets on incoming trunk ports. Configure trunk ports with higher
• When you enable dynamic ARP inspection on the switch, policers that were configured to police ARP
Relative Priority of ARP ACLs and DHCP Snooping Entries
Dynamic ARP inspection uses the DHCP snooping binding database for the list of valid IP-to-MAC address
bindings.
ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs only
if you configure them by using the ip arp inspection filter vlan global configuration command. The switch
first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the
switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping.

Configuring ARP ACLs for Non-DHCP Environments

This procedure shows how to configure dynamic ARP inspection when Switch B shown in Figure 2 does not
support dynamic ARP inspection or DHCP snooping.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
202
For example, if you configure the port channel with an ARP rate-limit of 400 pps, all the interfaces
combined on the channel receive an aggregate 400 pps. The rate of incoming ARP packets on
EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members.
Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets
on the channel-port members.
Conversely, when you change the trust state on the port channel, the switch configures a new trust state
on all the physical ports that comprise the channel.
this means that the actual rate limit might be higher than the configured value. For example, if you set
the rate limit to 30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2, each
port can receive packets at 29 pps without causing the EtherChannel to become error-disabled.
For example, if you configure the port channel with an ARP rate-limit of 400 pps, all the interfaces
combined on the channel receive an aggregate 400 pps. The rate of incoming ARP packets on
EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members.
Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets
on the channel-port members.
The rate of incoming packets on a physical port is checked against the port-channel configuration rather
than the physical-ports configuration. The rate-limit configuration on a port channel is independent of
the configuration on its physical ports.
If the EtherChannel receives more ARP packets than the configured rate, the channel (including all
physical ports) is placed in the error-disabled state.
rates to reflect their aggregation and to handle packets across multiple dynamic ARP inspection-enabled
VLANs. You also can use the ip arp inspection limit none interface configuration command to make
the rate unlimited. A high rate-limit on one VLAN can cause a denial-of-service attack to other VLANs
when the software places the port in the error-disabled state.
traffic are no longer effective. The result is that all ARP traffic is sent to the CPU.
Configuring Dynamic ARP Inspection
OL-29434-01