We have a serious issue in our environment with arp inspection feature , we are enabling this feature on all our sites switches and we are even increasing the limit rate to 100 but still the ports are going to error disable state !! Sometimes we are put the command (ip arp inspection trust) but still some ports are going to err-disable state . We are getting some logs like :
%SW_DAI-4-PACKET_RATE_EXCEEDED: 128 packets received in 139 milliseconds on Fa2/9.
%PM-4-ERR_DISABLE: arp-inspection error detected on Fa2/9, putting Fa2/9 in err-disable state
So what is the causes of increasing this limit rate to 200 or 300 for example
Note : The issue is happening on different switches models and different IOS versions .
We run a university campus, and we see a big increase in arp-traffic the last year.
A few years ago we implemented dynamic arp inspection on our student-networks.
The default rate-limit of 15pps was initially enough.
Last year we had a lot of cases where the rate-limit was triggered, and by default we set it now to 100.
This year the students are starting to come in again, and we notice quite a few connections where the limit of 100 is triggered,
even 300 often does not seem to be enough.
The "problem" seems to be client side by things like bonjour-service or network-discovery services that cause massive amounts of arp's.
The amount of devices that cause high rate's of arp-packets increases, as well as the amount they send.
So either we go for a lot of work for us to find out which all of these programs are, then a lot of work for our helpdesk to help students to disable them all or we increase the limit rate to 2000 or something, perhaps even unlimited.
If anyone else is experiencing this, i would be interested to know how you decided to handle this.
This is interesting. We saw similar increases after the rollout of new windows clients in our /22 subnets a couple of years ago.
We had to set the rate-limit value to 500 pps in order to achieve an acceptable amount of "false positives".
I couldn't spend much time on it, but it looked like DAI took send and also received ARP traffic into account. In any case I saw ports beeing err-disabled that didn't send not nearly as much as the port's rate-limit was configured to.
Meanwhile the security officer decided not longer to use DAI.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...