Rate Limiting Of Arp Packets; Relative Priority Of Arp Acls And Dhcp Snooping Entries; Logging Of Dropped Packets - Cisco IE-3000-8TC Software Configuration Manual
Software configuration guide
Hide thumbs
Also See for IE-3000-8TC:
- Command reference manual (802 pages) ,
- Administration manual (496 pages) ,
- Message manual (98 pages)
Table of Contents
Advertisement
Understanding Dynamic ARP Inspection
Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running
dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic
ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the
hosts that are connected to a switch running dynamic ARP inspection.
In cases in which some switches in a VLAN run dynamic ARP inspection and other switches do not,
configure the interfaces connecting such switches as untrusted. However, to validate the bindings of
packets from nondynamic ARP inspection switches, configure the switch running dynamic ARP
inspection with ARP ACLs. When you cannot determine such bindings, at Layer 3, isolate switches
running dynamic ARP inspection from switches not running dynamic ARP inspection switches. For
configuration information, see the
page
Depending on the setup of the DHCP server and the network, it might not be possible to validate a given
Note
ARP packet on all switches in the VLAN.
Rate Limiting of ARP Packets
The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of
incoming ARP packets is rate-limited to prevent a denial-of-service attack. By default, the rate for
untrusted interfaces is 15 packets per second (pps). Trusted interfaces are not rate-limited. You can
change this setting by using the ip arp inspection limit interface configuration command.
When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the
error-disabled state. The port remains in that state until you intervene. You can use the errdisable
recovery global configuration command to enable error disable recovery so that ports automatically
emerge from this state after a specified timeout period.
For configuration information, see the
page
Relative Priority of ARP ACLs and DHCP Snooping Entries
Dynamic ARP inspection uses the DHCP snooping binding database for the list of valid IP-to-MAC
address bindings.
ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs
only if you configure them by using the ip arp inspection filter vlan global configuration command.
The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP
packet, the switch also denies the packet even if a valid binding exists in the database populated by
DHCP snooping.
Logging of Dropped Packets
When the switch drops a packet, it places an entry in the log buffer and then generates system messages
on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer.
Each log entry contains flow information, such as the receiving VLAN, the port number, the source and
destination IP addresses, and the source and destination MAC addresses.
Cisco IE 3000 Switch Software Configuration Guide
24-4
24-8.
24-10.
"Configuring ARP ACLs for Non-DHCP Environments" section on
"Limiting the Rate of Incoming ARP Packets" section on
Chapter 24
Configuring Dynamic ARP Inspection
OL-13018-03
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
