DAI inspection - Rate limit

Unanswered Question
Apr 8th, 2010
User Badges:

Hey All,


I've implemented layer 2 security for DAI and DHCP snooping etc


I've set the the following interface command for packets per second.


"ip arp inspection limit rate 100"


But I noticed printers go over the 100 now and then, and the port goes into err-disable.


So questions,


Is 100 a appropriate value? I've never had any user ports have issues as of yet.

Is there a way to make limit rate unlimited for specified mac addresses? as the printers can move around.


Many Thanks,


Alan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Reza Sharifi Thu, 04/08/2010 - 19:28
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Hi Alan,


The values for rate limit are  between 1 and 2048 pps. You may want to raise it to a larger number and see if the printers work correctly.

For untrusted interface the default is 15pps and for trusted is unlimited.



Here is the command reference guide:

http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_arp.html#wp1012378


HTH

Reza

alanc3141592654 Thu, 04/08/2010 - 20:34
User Badges:

thanks, i've already read through the guide and know the default values.

Raising to a larger value, does make it work. But I was just wondering if there is a way to set up a access list or something, so it still works when the printer moves to a new port..?


i.e there is a arp access-list for devices with static IPs.


Maybe this is not possible.


A

Actions

This Discussion