Cisco WS-C3560E-48PD-SF Command Reference - Page 161
ip arp inspection limit
View all Cisco WS-C3560E-48PD-SF manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 161 highlights
Chapter 2 Catalyst 3560 Switch Cisco IOS Commands ip arp inspection limit ip arp inspection limit Use the ip arp inspection limit interface configuration command to limit the rate of incoming Address Resolution Protocol (ARP) requests and responses on an interface. It prevents dynamic ARP inspection from using all of the switch resources if a denial-of-service attack occurs. Use the no form of this command to return to the default settings. ip arp inspection limit {rate pps [burst interval seconds] | none} no ip arp inspection limit Syntax Description rate pps burst interval seconds none Specify an upper limit for the number of incoming packets processed per second. The range is 0 to 2048 packets per second (pps). (Optional) Specify the consecutive interval in seconds, over which the interface is monitored for a high rate of ARP packets.The range is 1 to 15 seconds. Specify no upper limit for the rate of incoming ARP packets that can be processed. Defaults The rate is 15 pps on untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second. The rate is unlimited on all trusted interfaces. The burst interval is 1 second. Command Modes Interface configuration Command History Release 12.2(20)SE Modification This command was introduced. Usage Guidelines The rate applies to both trusted and untrusted interfaces. Configure appropriate rates on trunks to process packets across multiple dynamic ARP inspection-enabled VLANs, or use the none keyword to make the rate unlimited. After a switch receives more than the configured rate of packets every second consecutively over a number of burst seconds, the interface is placed into an error-disabled state. Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit. You should configure trunk ports with higher rates to reflect their aggregation. When the rate of incoming packets exceeds the user-configured rate, the switch places the interface into an error-disabled state. The error-disabled recovery feature automatically removes the port from the error-disabled state according to the recovery setting. 78-16405-05 Catalyst 3560 Switch Command Reference 2-129