Cisco Systems WSC4500X16SFP Relative Priority of Static Bindings and DHCP Snooping Entries, Logging of Dropped Packets, Rate Limiting of ARP Packets, Port Channels and Their Behavior

32-4

Software Configuration Guide—Release 12.2(25)SG

OL-7659-03

Chapter32 Understanding and Configuring Dynamic ARP Inspection

Overview of Dynamic ARP Inspection

Relative Priority of Static Bindings and DHCP Snooping Entries

As mentioned previously, DAI populates its database of valid MAC address to IP address bindings

through DHCP snooping. It also validates ARP packets against statically configured ARP ACLs. It is

important to note that ARP ACLs have precedence over entries in the DHCP snooping database. ARP

packets are first compared to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, then

the packet will be denied even if a valid binding exists in the database populated by DHCP snooping.

Logging of Dropped Packets

When the switch drops a packet, it places an entry in the log buffer and then generates system messages

on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer.

Each log entry contains flow information, such as the receiving VLAN, the port num ber, the source and

destination IP addresses, and the source and destination MAC addresses.

You use the ip arp inspection log-buffer global configuration command to configure the number of

entries in the buffer and the number of entries needed in the specified interval to generate system

messages. You specify the type of packets that are logged by using the ip arp inspection vlan logging

global configuration command. For configuration information, see the “Configuring t he Log Buffer”

section on page 32-14.

Rate Limiting of ARP Packets

DAI performs validation checks in the CPU, so the number of incoming ARP packets is rate-limited to

prevent a denial of service attack. By default, the rate for untrusted interfaces is set to 15 pps second,

whereas trusted interfaces have no rate limit. When the rate of incoming ARP packets exceeds the

configured limit, the port is placed in the errdisable state. The port remains in that state until an

administrator intervenes. With the errdisable recovery global configuration command, you can enable

errdisable recovery so that ports emerge from this state automatically after a specified timeout period.

You use the ip arp inspection limit global configuration command to limit the rate of incoming ARP

requests and responses on the interface. Unless a rate limit is explicitly configured on an interface,

changing the trust state of the interface will also change its rate limit to the default value for that trust

state; that is, 15 packets per second for untrusted interfaces and unlimited for trusted interfaces. Once a

rate limit is configured explicitly, the interface retains the rate limit even when its trust state is changed.

At any time, the interface reverts to its default rate limit if the no form of the rate limit command is

applied. For configuration information, see the “Limiting the Rate of Incoming ARP Packets” section on

page 32-16.

Port Channels and Their Behavior

A given physical port can join a channel only when the trust state of the physical por t and of the channel

match. Otherwise, the physical port remains suspended in the channel. A channel inh erits its trust state

from the first physical port that joined the channel. Consequent ly, the trust state of the first physical port

need not match the trust state of the ch annel.

Conversely, when the trust state is changed on the channel, the new trust state is configured on all the

physical ports that comprise the channel.

The rate limit check on port channels is unique. The rate of incoming packets on a physica l port is

checked against the port channel configuration rather than the physical ports’ configuration.