Leaflet
49
OL-11615-01
To optionally configure DAI to drop the packets with invalid MAC or IP addresses use the set security
acl arp-inspection address-validation command. The following MAC addresses are considered invalid
00-00-00-00-00-00, multicast MAC addresses (the 48th bit is set), and ff-ff-ff-ff-ff-ff (this is a
special-case multicast MAC address). The following IP addresses are considered invalid 0.0.0.0,
255.255.255.255, and class D (multicast) IP addresses.
Console> (enable) set security acl arp-inspection address-validation {enable drop [log]}
Console> (enable) commit security acl {
acl_name
| all | adjacency}
This example shows how to drop the packets with the invalid MAC or IP addresses:
Console> (enable) set security acl arp-inspection address-validation enable drop
ARP Inspection address-validation feature enabled with drop option.
Console> (enable) commit security acl TrustedHosts
Console> (enable) ACL commit in progress.
ACL ' TrustedHosts' successfully committed.
To change the default global ARP packet rate limiting configuration, use the set security acl feature
ratelimit command. By default, the ARP traffic-inspection traffic is rate limited to 500 packets per
second. The minimum value is 1, and the maximum value is 1000 packets per second. For Supervisor
Engine 720, the minimum value that is enforced by the hardware is 10 packets per second (values
between 1- 9 are set to 10). To disable rate limiting, set the value to 0:
Console> (enable) set security acl feature ratelimit
rate
This example shows how to rate limit the number of ARP traffic-inspection packets that are sent to the
CPU to 1000:
Console> (enable) set security acl feature ratelimit 1000
Dot1x DHCP and ARP Inspection global rate limit set to 1000 pps.
Console> (enable)
To enable a per-port ARP packet rate limit, perform the following steps:
Step 1 Use the set port arp-inspection command to define a drop-threshold and a shutdown-threshold. If the
rate exceeds the drop-threshold, the excess packets are dropped (and counted toward the
shutdown-threshold limit). If the rate exceeds the shutdown-threshold, the port that is specified by
mod/port is shut down. The maximum value for both thresholds is 1000 packets-per second (pps):
Console> (enable) set port arp-inspection
mod/port
drop-threshold
pps
shutdown-threshold
pps
Step 2 Optionally, enable error recovery from the dynamic ARP inspection error-disable state. By default, every
time the rate of incoming ARP packets exceeds the shutdown threshold, the switch places the port in the
error-disabled state. Enabling error-disable recovery allows ports to automatically emerge from this state
after a specified timeout period. Use the set errdisable-timeout command. Valid values for the timeout
interval are from 30 to 86400 seconds (30 seconds to 24 hours):
Console> (enable) set errdisable-timeout enable arp-inspection
Console> (enable) set errdisable-timeout interval {
interval
}
This example shows how to set an errdisable timeout of 450 seconds for ARP inspection events:
Console> (enable) set errdisable-timeout enable arp-inspection
Successfully enabled errdisable-timeout for arp-inspection.
Console> (enable) set errdisable-timeout interval 450
Successfully set errdisable timeout to 450 seconds.
Console> (enable)