20-4
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 20 Configuring Dynamic ARP Inspection
Understanding Dynamic ARP Inspection
running dynamic ARP inspection from switches not running dynamic ARP inspection switches. For
configuration information, see the
“Configuring ARP ACLs for Non-DHCP Environments” section on
Note
Depending on the setup of the DHCP server and the network, it might not be possible to validate a given
ARP packet on all switches in the VLAN.
Rate Limiting of ARP Packets
The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of
incoming ARP packets is rate-limited to prevent a denial-of-service attack. By default, the rate for
untrusted interfaces is 15 packets per second (pps). Trusted interfaces are not rate-limited. You can
change this setting by using the
ip arp inspection limit
interface configuration command.
When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the
error-disabled state. The port remains in that state until you intervene. You can use the
errdisable
recovery
global configuration command to enable error disable recovery so that ports automatically
emerge from this state after a specified timeout period.
For configuration information, see the
“Limiting the Rate of Incoming ARP Packets” section on
.
Relative Priority of ARP ACLs and DHCP Snooping Entries
Dynamic ARP inspection uses the DHCP snooping binding database for the list of valid IP-to-MAC
address bindings.
ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs
only if you configure them by using the
ip arp inspection filter vlan
global configuration command.
The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP
packet, the switch also denies the packet even if a valid binding exists in the database populated by
DHCP snooping.
Logging of Dropped Packets
When the switch drops a packet, it places an entry in the log buffer and then generates system messages
on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer.
Each log entry contains flow information, such as the receiving VLAN, the port number, the source and
destination IP addresses, and the source and destination MAC addresses.
You use the
ip arp inspection log-buffer
global configuration command to configure the number of
entries in the buffer and the number of entries needed in the specified interval to generate system
messages. You specify the type of packets that are logged by using the
ip arp inspection vlan logging
global configuration command. For configuration information, see the
Содержание Catalyst 2928
Страница 28: ...Contents xxviii Catalyst 2928 Switch Software Configuration Guide OL 23389 01 ...
Страница 32: ...xxx Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Preface ...
Страница 496: ...26 14 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 26 Configuring SPAN Displaying SPAN Status ...
Страница 534: ...29 18 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 29 Configuring SNMP Displaying SNMP Status ...
Страница 700: ...Index IN 36 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 ...