set arpinspection limit

Example

This example adds the optional verification that sender MAC addresses are the same as the source MAC addresses in the Ethernet headers of ARP packets.

C3(su)->set arpinspection validate src-mac

set arpinspection limit

Use this command to configure rate limiting parameters for incoming ARP packets on a port or ports

Syntax

set arpinspection limit port port-string{none rate pps {burst interval secs]}

Parameters

port‐string

Specifies the port or ports to which to apply these rate limiting

 

parameters.

 

 

none

Configures no limit on incoming ARP packets.

 

 

rate pps

Specifies a rate limit in packets per second. The value of pps can range

 

from 0 to 100 packets per second.

 

 

burst interval secs

Specifies a burst interval in seconds. The value of secs can range from 1

 

to 15 seconds.

 

 

Defaults

Rate = 15 packets per second

Burst Interval = 1 second

Mode

Switch command, read‐write.

Usage

To protect the switch against DHCP attacks when DAI is enabled, the DAI application enforces a rate limit for ARP packets received on untrusted interfaces. DAI monitors the receive rate on each interface separately. If the receive rate exceeds the limit configured with this command, DAI disables the interface, which effectively brings down the interface. You can use the set port enable command to reenable the port.

You can configure both the rate and the burst interval. The default rate is 15 pps on each untrusted interface with a range of 0 to 100 pps. The default burst interval is 1 second with a range to 1 to 15 seconds.. The rate limit cannot be set on trusted interfaces since ARP packets received on trusted interfaces do not come to the CPU.

Example

This example sets the rate to 20 packets per second and the burst interval to 2 seconds on ports ge.1.1 and ge.1.2.

C3(su)->set arpinspection limit port ge.1.1-2 rate 20 burst interval 2

SecureStack C3 Configuration Guide 17-23

Page 533
Image 533
Enterasys Networks 9034313-07 manual Set arpinspection limit, None