Configuring DAI
To configure ARP packet rate limiting on a port, perform this task:
Command
Step 1
Router# configure terminal
Step 2
Router(config)# interface { type
port-channel number }
Step 3
Router(config-if)# ip arp inspection limit {rate
pps [burst interval seconds ] | none}
Router(config-if)# no ip arp inspection limit
Step 4
Router(config-if)# do show ip arp inspection
interfaces
1.
type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet
When configuring ARP packet rate limiting, note the following information:
•
•
•
•
•
•
•
This example shows how to configure ARP packet rate limiting on Fast Ethernet port 5/14:
Router# configure terminal
Enter configuration commands, one per line.
Router(config)# interface fastethernet 5/14
Router(config-if)# ip arp inspection limit rate 20 burst interval 2
Router(config-if)# do show ip arp inspection interfaces | include Int|--|5/14
Interface
---------------
Fa5/14
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
38-10
1
slot/port |
The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces.
For rate pps, specify an upper limit for the number of incoming packets processed per second. The
range is 0 to 2048 pps.
The rate none keywords specify that there is no upper limit for the rate of incoming ARP packets
that can be processed.
(Optional) For burst interval seconds (default is 1), specify the consecutive interval, in seconds,
over which the interface is monitored for a high rate of ARP packets.The range is 1 to 15.
When the rate of incoming ARP packets exceeds the configured limit, the router places the port in
the error-disabled state. The port remains in the error-disabled state until you enable error-disabled
recovery, which allows the port to emerge from the error-disabled state after a specified timeout
period.
Unless you configure a rate-limiting value on an interface, changing the trust state of the interface
also changes its rate-limiting value to the default value for the configured trust state. After you
configure the rate-limiting value, the interface retains the rate-limiting value even when you change
its trust state. If you enter the no ip arp inspection limit interface configuration command, the
interface reverts to its default rate-limiting value.
For configuration guidelines about limiting the rate of incoming ARP packets on trunk ports and
EtherChannel ports, see the
Trust State
-----------
Untrusted
Purpose
Enters global configuration mode.
Selects the interface to be configured.
(Optional) Configures ARP packet rate limiting.
Clears the ARP packet rate-limiting configuration.
Verifies the configuration.
"DAI Configuration Guidelines and Restrictions" section on page
End with CNTL/Z.
Rate (pps)
Burst Interval
----------
--------------
20
Chapter 38
Configuring Dynamic ARP Inspection
2
38-6.
OL-4266-08