32-4
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter32 Understanding and Configuring Dynamic ARP Inspection
Overview of Dynamic ARP Inspection
Relative Priority of Static Bindings and DHCP Snooping Entries
As mentioned previously, DAI populates its database of valid MAC address to IP address bindings
through DHCP snooping. It also validates ARP packets against statically configured ARP ACLs. It is
important to note that ARP ACLs have precedence over entries in the DHCP snooping database. ARP
packets are first compared to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, then
the packet will be denied even if a valid binding exists in the database populated by DHCP snooping.
Logging of Dropped Packets
When the switch drops a packet, it places an entry in the log buffer and then generates system messages
on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer.
Each log entry contains flow information, such as the receiving VLAN, the port num ber, the source and
destination IP addresses, and the source and destination MAC addresses.
You use the ip arp inspection log-buffer global configuration command to configure the number of
entries in the buffer and the number of entries needed in the specified interval to generate system
messages. You specify the type of packets that are logged by using the ip arp inspection vlan logging
global configuration command. For configuration information, see the “Configuring t he Log Buffer”
section on page 32-14.
Rate Limiting of ARP Packets
DAI performs validation checks in the CPU, so the number of incoming ARP packets is rate-limited to
prevent a denial of service attack. By default, the rate for untrusted interfaces is set to 15 pps second,
whereas trusted interfaces have no rate limit. When the rate of incoming ARP packets exceeds the
configured limit, the port is placed in the errdisable state. The port remains in that state until an
administrator intervenes. With the errdisable recovery global configuration command, you can enable
errdisable recovery so that ports emerge from this state automatically after a specified timeout period.
You use the ip arp inspection limit global configuration command to limit the rate of incoming ARP
requests and responses on the interface. Unless a rate limit is explicitly configured on an interface,
changing the trust state of the interface will also change its rate limit to the default value for that trust
state; that is, 15 packets per second for untrusted interfaces and unlimited for trusted interfaces. Once a
rate limit is configured explicitly, the interface retains the rate limit even when its trust state is changed.
At any time, the interface reverts to its default rate limit if the no form of the rate limit command is
applied. For configuration information, see the “Limiting the Rate of Incoming ARP Packets” section on
page 32-16.
Port Channels and Their Behavior
A given physical port can join a channel only when the trust state of the physical por t and of the channel
match. Otherwise, the physical port remains suspended in the channel. A channel inh erits its trust state
from the first physical port that joined the channel. Consequent ly, the trust state of the first physical port
need not match the trust state of the ch annel.
Conversely, when the trust state is changed on the channel, the new trust state is configured on all the
physical ports that comprise the channel.
The rate limit check on port channels is unique. The rate of incoming packets on a physica l port is
checked against the port channel configuration rather than the physical ports’ configuration.