How To Limit The Rate Of Incoming Arp Packets - Cisco Catalyst 2960-XR Security Configuration Manual
Ios release 15.0 2 ex1
Hide thumbs
Also See for Catalyst 2960-XR:
- Configuration manual (196 pages) ,
- Configuration manuals (120 pages) ,
- Reference (52 pages)
Table of Contents
Advertisement
Configuring Dynamic ARP Inspection
Command or Action
Step 10
copy running-config startup-config
Example:
To disable dynamic ARP inspection, use the no ip arp inspection vlan vlan-range global configuration
command. To return the interfaces to an untrusted state, use the no ip arp inspection trust interface
configuration command.
This example shows how to configure dynamic ARP inspection on Switch A in VLAN 1. You would perform
a similar procedure on Switch B:
Switch(config)# ip arp inspection vlan 1
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)#ip arp inspection trust
How to Limit the Rate of Incoming ARP Packets
The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming
ARP packets is rate-limited to prevent a denial- of-service attack.
When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the
error-disabled state. The port remains in that state until you enable error-disabled recovery so that ports
automatically emerge from this state after a specified timeout period.
Unless you configure a rate limit on an interface, changing the trust state of the interface also changes its
Note
rate limit to the default value for that trust state. After you configure the rate limit, the interface retains
the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface
configuration command, the interface reverts to its default rate limit.
For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the section, "Dynamic
ARP Inspection Configuration Guidelines."
To return to the default rate-limit configuration, use the no ip arp inspection limit interface configuration
command. To disable error recovery for dynamic ARP inspection, use the no errdisable recovery cause
arp-inspection global configuration command.
Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This
procedure is optional.
OL-29434-01
Purpose
(Optional) Save your entries in the configuration file.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
How to Limit the Rate of Incoming ARP Packets
207
Advertisement
Table of Contents
