32-5
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter32 Understanding and Conf iguring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
The rate limit configuration on a port channel is independent of the configurat ion on its physical ports.
The rate limit is cumulative across all physical ports; that is, the rate of incoming packets on a port
channel equals the sum of rates across all physical ports.
When you configure rate limits for ARP packets on trunks, you must account for VLAN aggregation
because a high rate limit on one VLAN can cause a “denial of service” attack to other VLANs when the
port is errdisabled by software. Similarly, when a port channel is errdisabled, a high rate limit on one
physical port can cause other ports in the channel to go down.
Configuring Dynamic ARP Inspection
These sections describe how to configure dynamic ARP inspection on your switch:
Configuring Dynamic ARP Inspection in DHCP Environments, page 32-5 (required)
Configuring ARP ACLs for Non-DHCP Environments, page 32-10 (optional)
Configuring the Log Buffer, page 32-14 (optional)
Limiting the Rate of Incoming ARP Packets, page 32-16 (optional)
Performing Validation Checks, page 32-18 (optional)

Configuring Dynamic ARP Inspection in DHCP Environments

This procedure shows how to configure dynamic ARP inspection when two switches support this feature.
Host 1 is connected to Switch A, and Host 2 is connected to Switch B as shown in Figure32-3. Both
switches are running dynamic ARP inspection on VLAN 100 where the hosts are located. A DHCP
server is connected to Switch A. Both hosts acquire their IP addresses from the same DHCP server.
Therefore, Switch A has the bindings for Host 1, and Switch B has the bindings for Host 2.
Figure32-3 ARP Packet Validation on a VLAN Enabled for Dynamic ARP Inspection
Note Dynamic ARP inspection depends on the entries in the DH CP snooping binding database to verify
IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to e nable DHCP
snooping to permit ARP packets that have dynamically assigned IP addresses. For configur ation
information, see Chapter 31, “Configuring DHCP Snooping and IP Source Guard.”
DHCP server
Switch A Switch B
Host 1 Host 2
Port 1 Port 3
111751