Specifications
set arpinspection limit
SecureStack B2 Configuration Guide 18-23
Example
ThisexampleaddstheoptionalverificationthatsenderMACaddressesarethesameasthesource
MACaddressesintheEthernetheadersofARPpackets.
B2(su)->set arpinspection validate src-mac
set arpinspection limit
UsethiscommandtoconfigureratelimitingparametersforincomingARPpacketsonaportor
ports
Syntax
set arpinspection limit port port-string {none | rate pps {burst interval secs]}
Parameters
Defaults
Rate=15packetspersecond
BurstInterval=1second
Mode
Switchcommand,read‐write.
Usage
ToprotecttheswitchagainstDHCPattackswhenDAIisenabled,theDAIapplicationenforcesa
ratelimitforARPpacketsreceivedonuntrustedinterfaces.DAImonitorsthereceiverateoneach
interfaceseparately.Ifthereceiverateexceedsthelimitconfiguredwiththiscommand,DAI
disablestheinterface,whicheffectively
bringsdowntheinterface.Youcanusethesetportenable
commandtoreenabletheport.
Youcanconfigureboththerateandtheburstinterval.Thedefaultrateis15ppsoneachuntrusted
interfacewitharangeof0to100pps.Thedefaultburstintervalis1
secondwitharangeto1to15
seconds..TheratelimitcannotbesetontrustedinterfacessinceARPpacketsreceivedontrusted
interfacesdonotcometotheCPU.
Example
Thisexamplesetstherateto20packetspersecondandtheburstintervalto2secondsonports
ge.1.1andge.1.2.
B2(su)->set arpinspection limit port ge.1.1-2 rate 20 burst interval 2
port‐string Specifiestheportorportstowhichtoapplytheseratelimiting
parameters.
none ConfiguresnolimitonincomingARPpackets.
ratepps Specifiesaratelimitinpacketspersecond.Thevalueofppscan range
from0to100packetspersecond.
burstintervalsecs Specifiesaburstintervalin
seconds.Thevalueofsecscanrangefrom1
to15seconds.