34-4
Software Configuration Guide—Release 12.2(25)EW
OL-6696-01
Chapter 34 Understanding and Configuring Dynamic ARP Inspection
Overview of Dynamic ARP Inspection
Relative Priority of Static Bindings and DHCP Snooping Entries
As mentioned previously, DAI populates its database of valid MAC address to IP address bindings
through DHCP snooping. It also validates ARP packets against statically configured ARP ACLs. It is
important to note that ARP ACLs have precedence over entries in the DHCP snooping database. ARP
Packets are first compared to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, then
the packet will be denied even if a valid binding exists in the database populated by DHCP snooping.
Logging of Denied Packets
DAI maintains a log of denied IP ARP packets. Log messages are generated at a controlled rate, and log
entries are cleared once messages are generated on their behalf.
Rate Limiting of ARP Packets
DAI performs validation checks in the CPU, so the number of incoming ARP packets is rate-limited to
prevent a denial of service attack. By default, the rate for untrusted interfaces is set to 15 packets per
second, whereas trusted interfaces have no rate limit. When the rate of incoming ARP packets exceeds
the configured limit, the port is placed in the errdisable state. The port remains in that state until an
administrator intervenes. You can enable errdisable recovery so that ports emerge from this state
automatically after a specified timeout period.
Unless a rate limit is explicitly configured on an interface, changing the trust state of the interface will
also change its rate limit to the default value for that trust state; that is, 15 packets per second for
untrusted interfaces and unlimited for trusted interfaces. Once a rate limit is configured explicitly, the
interface retains the rate limit even when its trust state is changed. At any time, the interface reverts to
its default rate limit if the no form of the rate limit command is applied.
Port Channels and Their Behavior
A given physical port can join a channel only when the trust state of the physical port and of the channel
match. Otherwise, the physical port remains suspended in the channel. A channel inherits its trust state
from the first physical port that joined the channel. Consequently, the trust state of the first physical port
need not match the trust state of the channel.
Conversely, when the trust state is changed on the channel, the new trust state is configured on all the
physical ports that comprise the channel.
The rate limit check on port channels is unique. The rate of incoming packets on a physical port is
checked against the port channel configuration rather than the physical ports configuration.
The rate limit configuration on a port channel is independent of the configuration on its physical ports.
The rate limit is cumulative across all physical port; that is, the rate of incoming packets on a port
channel equals the sum of rates across all physical ports.
When you configure rate limits for ARP packets on trunks, you must account for VLAN aggregation
because a high rate limit on one VLAN can cause a “denial of service” attack to other VLANs when the
port is errdisabled by software. Similarly, when a port channel is errdisabled, a high rate limit on one
physical port can cause other ports in the channel to go down.
To Next Page
Loading...
Need help?
General
