Cisco Support Community
Community Member

arp inspection limit

Can anyone help explain to me the way that arp inspection packet per second limiting works when enabling burst. For example, if my config is "ip arp inspection limit rate 25 burst 3", does the switch check every three seconds to see if arp packets were beyond the threshold every second of that interval? Is it simply checking every three seconds to see if the total arp packets are above 75 for the entire interval? Is it checking every three seconds or every second for the prior three second interval?

I am having a consistent issue with multiple devices in one building violating our arp packet per second limit.  Is anyone else using a burst interval, and have you come across any client hardware that consistently violates the pps limit? What is your pps limit?

Community Member

Initially we used the default

Initially we used the default settings, ie 15 pps, but since the migration of the park in Win7 we had problems (probably Windows network discovery):
% SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 855 milliseconds on Fa0/1.

So we set the threshold at 64 pps with a burst of three seconds (ip arp inspection limit rate 64 burst interval 3)

Recently I had a user who exceeded the threshold:
% SW_DAI-4-PACKET_BURST_RATE_EXCEEDED: 279 packets received in 3 seconds on Fa0/35.

The message in the logs, suggests that if the threshold is exceeded per second, you can expect to see the value of 3 seconds. The threshold would be your value multiplied by the duration of the burst threshold (ie 64x3 = 192?). I'm not sure.

CreatePlease to create content