58-5
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 58 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
Port Channels Function
A given physical port can join a channel only when the trust state of the physical port and of the channel
match. Otherwise, the physical port remains suspended in the channel. A channel inherits its trust state
from the first physical port that joined the channel. Consequently, the trust state of the first physical port
need not match the trust state of the channel.
Conversely, when the trust state is changed on the channel, the new trust state is configured on all the
physical ports that comprise the channel.
The rate limit check on port channels is unique. The rate of incoming packets on a physical port is
checked against the port channel configuration rather than the physical ports’ configuration.
The rate limit configuration on a port channel is independent of the configuration on its physical ports.
The rate limit is cumulative across all physical ports; that is, the rate of incoming packets on a port
channel equals the sum of rates across all physical ports.
When you configure rate limits for ARP packets on trunks, you must account for VLAN aggregation
because a high rate limit on one VLAN can cause a denial of service attack to other VLANs when the
port is error-disabled by software. Similarly, when a port channel is error-disabled, a high rate limit on
one physical port can cause other ports in the channel to go down.
Configuring Dynamic ARP Inspection
These sections describe how to configure DAI on your switch:
•
Configuring Dynamic ARP Inspection in DHCP Environments, page 58-5
(required)
•
DAI Configuration Example, page 58-7
•
Configuring ARP ACLs for Non-DHCP Environments, page 58-11
(optional)
•
Configuring the Log Buffer, page 58-14
(optional)
•
Limiting the Rate of Incoming ARP Packets, page 58-16
(optional)
•
Performing Validation Checks, page 58-19
(optional)
Configuring Dynamic ARP Inspection in DHCP Environments
This procedure shows how to configure dynamic ARP inspection when two switches support this feature.
Host 1 is connected to Switch A, and Host 2 is connected to Switch B as shown in Figure 58-3. Both
switches are running DAI on VLAN 100 where the hosts are located. A DHCP server is connected to
Switch A. Both hosts acquire their IP addresses from the same DHCP server. Switch A has the bindings
for Host 1, and Switch B has the bindings for Host 2.
Summary of Contents for Catalyst 4500 Series
Page 2: ......
Page 4: ......
Page 2086: ...Index IN 46 Software Configuration Guide Release IOS XE 3 9 0E and IOS 15 2 5 E ...