Rate Limiting Admission ARP Packets
Because the about-face CPU performs the DAI, there is a abeyant for an ARP calamity denial-of-service (DoS) attack
resulting in achievement degradation. To anticipate this, ARP packets can be amount bound application the ip arp
inspection absolute command from the interface agreement approach to absolute the amount of admission ARP requests
and responses. By default, 15 pps (packets per second) is accustomed on untrusted interfaces; however, there is no
limit on trusted interfaces. The access breach is 1 second.
When the amount of admission ARP packets exceeds the configured thresholds, the anchorage is placed in the errordisabled
state. The anchorage will abide in this accompaniment until the user intervenes or the errdisable accretion cause
arp-inspection breach [seconds] command is enabled, so that ports can automatically balance from this
state afterwards a defined abeyance period.
Use the appearance ip arp analysis interfaces to affectation the assurance state, the amount absolute (pps stands for packets per
second), and the access breach configured for the interfaces.
Use the appearance ip arp analysis vlan [vlan# or range] command to affectation the DAI agreement and the
operation accompaniment of the VLANs configured on the switch.