58-4
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 58 Configuring Dynamic ARP Inspection
About Dynamic ARP Inspection
Relative Priority of Static Bindings and DHCP Snooping Entries
As mentioned previously, DAI populates its database of valid MAC address to IP address bindings
through DHCP snooping. It also validates ARP packets against statically configured ARP ACLs. It is
important to note that ARP ACLs have precedence over entries in the DHCP snooping database. ARP
packets are first compared to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, then
the packet is denied even if a valid binding exists in the database populated by DHCP snooping.
Logging of Dropped Packets
When the switch drops a packet, it places an entry in the log buffer and then generates system messages
on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer.
Each log entry contains flow information, such as the receiving VLAN, the port number, the source and
destination IP addresses, and the source and destination MAC addresses.
You use the
ip arp inspection log-buffer
global configuration command to configure the number of
entries in the buffer and the number of entries needed in the specified interval to generate system
messages. You specify the type of packets that are logged by using the
ip arp inspection vlan logging
global configuration command. For configuration information, see the
Rate Limiting of ARP Packets
DAI performs validation checks in the CPU, so the number of incoming ARP packets is rate-limited to
prevent a denial of service attack. By default, the rate for untrusted interfaces is set to 15 pps second but
trusted interfaces have no rate limit. When the rate of incoming ARP packets exceeds the configured
limit, the port is placed in the error-disable state. The port remains in that state until an administrator
intervenes. With the
errdisable recovery
global configuration command, you can enable error-disable
recovery so that ports emerge from this state automatically after a specified timeout period.
You use the
ip arp inspection limit
global configuration command to limit the rate of incoming ARP
requests and responses on the interface. Unless a rate limit is explicitly configured on an interface,
changing the trust state of the interface also changes its rate limit to the default value for that trust state;
that is, 15 packets per second for untrusted interfaces and unlimited for trusted interfaces. Once a rate
limit is configured explicitly, the interface retains the rate limit even when its trust state is changed. At
any time, the interface reverts to its default rate limit if the
no
form of the
rate limit
command is applied.
For configuration information, see the
“Limiting the Rate of Incoming ARP Packets” section on
.
Note
When you enable DAI, all ARP packets are forwarded by CPU (software forwarding, the slow path).
With this mechanism, whenever a packet exits through multiple ports, the CPU must create as many
copies of the packet as there are egress ports. The number of egress ports is a multiplying factor for the
CPU. When QoS policing is applied on egress packets that were forwarded by CPU, QoS must be applied
in the CPU as well. (You cannot apply QoS in hardware on CPU generated packets because the hardware
forwarding path is turned off for CPU generated packets.) Both factors can drive the CPU to a very high
utilization level.
Summary of Contents for Catalyst 4500 Series
Page 2: ......
Page 4: ......
Page 2086: ...Index IN 46 Software Configuration Guide Release IOS XE 3 9 0E and IOS 15 2 5 E ...