User's Manual
26-4
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 26 Configuring Dynamic ARP Inspection
Information About Dynamic ARP Inspection
Note Depending on the setup of the DHCP server and the network, it might not be possible to validate a given 
ARP packet on all switches in the VLAN. 
Rate Limiting of ARP Packets
The switch CPU performs DAI validation checks; therefore, the number of incoming ARP packets is 
rate-limited to prevent a denial-of-service attack. By default, the rate for untrusted interfaces is 15 
packets per second (pps). Trusted interfaces are not rate-limited. You can change this setting by using 
the ip arp inspection limit interface configuration command.
When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the 
error-disabled state. The port remains in that state until you intervene. You can use the errdisable 
recovery global configuration command to enable error-disable recovery so that ports automatically 
emerge from this state after a specified timeout period.
Note Unless you configure a rate limit on an interface, changing the trust state of the interface also changes 
its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains 
the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface 
configuration command, the interface reverts to its default rate limit.
Relative Priority of ARP ACLs and DHCP Snooping Entries
DAI uses the DHCP snooping binding database for the list of valid IP-to-MAC address bindings.
ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs 
only if you configure them by using the ip arp inspection filter vlan global configuration command. 
The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP 
packet, the switch also denies the packet even if a valid binding exists in the database populated by 
DHCP snooping.
Logging of Dropped Packets
When the switch drops a packet, it places an entry in the log buffer and then generates system messages 
on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. 
Each log entry contains flow information, such as the receiving VLAN, the port number, the source and 
destination IP addresses, and the source and destination MAC addresses.
You use the ip arp inspection log-buffer global configuration command to configure the number of 
entries in the buffer and the number of entries needed in the specified interval to generate system 
messages. You specify the type of packets that are logged by using the ip arp inspection vlan logging 
global configuration command. 
A log-buffer entry can represent more than one packet. For example, if an interface receives many 
packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry 
in the log buffer and generates a single system message for the entry.










