20-11
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-06
Chapter 20 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection
Note Unless you configure a rate limit on an interface, changing the trust state of the interface also changes
its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains
the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface
configuration command, the interface reverts to its default rate limit.
For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the “Dynamic ARP
Inspection Configuration Guidelines” section on page 20-6.
Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This
procedure is optional.
To return to the default rate-limit configuration, use the no ip arp inspection limit interface
configuration command. To disable error recovery for dynamic ARP inspection, use the no errdisable
recovery cause arp-inspection global configuration command.
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 interface interface-id Specify the interface to be rate-limited, and enter interface configuration
mode.
Step 3 no shutdown Enable the port, if necessary. By default, UNIs and ENIs are disabled,
and NNIs are enabled.
Step 4 ip arp inspection limit {rate pps [burst
interval seconds] | none}Limit the rate of incoming ARP requests and responses on the interface.
The default rate is 15 pps on untrusted interfaces and unlimited on
trusted interfaces. The burst interval is 1 second.
The keywords have these meanings:
For rate pps, specify an upper limit for the number of incoming
packets processed per second. The range is 0 to 2048 pps.
(Optional) For burst interval seconds, specify the consecutive
interval in seconds, over which the interface is monitored for a high
rate of ARP packets.The range is 1 to 15.
For rate none, specify no upper limit for the rate of incoming ARP
packets that can be processed.
Step 5 exit Return to global configuration mode.
Step 6 errdisable recovery cause
arp-inspection interval interval (Optional) Enable error recovery from the dynamic ARP inspection
error-disable state.
By default, recovery is disabled, and the recovery interval is 300
seconds.
For interval interval, specify the time in seconds to recover from the
error-disable state. The range is 30 to 86400.
Step 7 exit Return to privileged EXEC mode.
Step 8 show ip arp inspection interfaces
show errdisable recovery
Verify your settings.
Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.