20-11
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 20 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the
Inspection Configuration Guidelines” section on page 20-6
Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This
procedure is optional.
To return to the default rate-limit configuration, use the
no ip arp inspection limit
interface
configuration command. To disable error recovery for dynamic ARP inspection, use the
no errdisable
recovery
cause
arp-inspection
global configuration command.
Performing Validation Checks
Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address
bindings. You can configure the switch to perform additional checks on the destination MAC address,
the sender and target IP addresses, and the source MAC address.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface
interface-id
Specify the interface to be rate-limited, and enter interface configuration
mode.
Step 3
ip arp inspection limit
{
rate
pps
[
burst
interval
seconds
] |
none
}
Limit the rate of incoming ARP requests and responses on the interface.
The default rate is 15 pps on untrusted interfaces and unlimited on
trusted interfaces. The burst interval is 1 second.
The keywords have these meanings:
•
For
rate
pps
, specify an upper limit for the number of incoming
packets processed per second. The range is 0 to 2048 pps.
•
(Optional) For
burst interval
seconds
, specify the consecutive
interval in seconds, over which the interface is monitored for a high
rate of ARP packets.The range is 1 to 15.
•
For
rate none
, specify no upper limit for the rate of incoming ARP
packets that can be processed.
Step 4
exit
Return to global configuration mode.
Step 5
errdisable recovery cause
arp-inspection interval
interval
(Optional) Enable error recovery from the dynamic ARP inspection
error-disable state.
By default, recovery is disabled, and the recovery interval is 300
seconds.
For
interval
interval
, specify the time in seconds to recover from the
error-disable state. The range is 30 to 86400.
Step 6
exit
Return to privileged EXEC mode.
Step 7
show ip arp inspection interfaces
show errdisable recovery
Verify your settings.
Step 8
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Содержание Catalyst 2928
Страница 28: ...Contents xxviii Catalyst 2928 Switch Software Configuration Guide OL 23389 01 ...
Страница 32: ...xxx Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Preface ...
Страница 496: ...26 14 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 26 Configuring SPAN Displaying SPAN Status ...
Страница 534: ...29 18 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 29 Configuring SNMP Displaying SNMP Status ...
Страница 700: ...Index IN 36 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 ...