The rate limit for an EtherChannel is applied separately to each switch in a stack. For example, if a limit
of 20 pps is configured on the EtherChannel, each switch with ports in the EtherChannel can carry up to
20 pps. If any switch exceeds the limit, the entire EtherChannel is placed into the error-disabled state.
Note
Relative Priority of ARP ACLs and DHCP Snooping Entries
Dynamic ARP inspection uses the DHCP snooping binding database for the list of valid IP-to-MAC address
bindings.
ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs only
if you configure them by using the ip arp inspection filter vlan global configuration command. The switch
first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the
switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping.
Logging of Dropped Packets
When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a
rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log
entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP
addresses, and the source and destination MAC addresses.
You use the ip arp inspection log-buffer global configuration command to configure the number of entries
in the buffer and the number of entries needed in the specified interval to generate system messages. You
specify the type of packets that are logged by using the ip arp inspection vlan logging global configuration
command.
Default Dynamic ARP Inspection Configuration
Default SettingsFeature
Disabled on all VLANs.Dynamic ARP inspection
All interfaces are untrusted.Interface trust state
The rate is 15 pps on untrusted interfaces, assuming
that the network is a switched network with a host
connecting to as many as 15 new hosts per second.
The rate is unlimited on all trusted interfaces.
The burst interval is 1 second.
Feature
No ARP ACLs are defined.Dynamic ARP inspection
No checks are performed.Interface trust state
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
200 OL-29434-01
Configuring Dynamic ARP Inspection
Relative Priority of ARP ACLs and DHCP Snooping Entries
To Next Page
Loading...
Need help?
General