Configure Port Dynamic ARP Inspection Function
Configuration Condition
Before configuring the port Dynamic ARP Inspection function, first complete the following task:
- Configure the port IP Source Guard binding entry
Configure Port Dynamic ARP Inspection
After enabling the port DAI function, the system checks the validity of the ARP packet received by the port according to the IP Source Guard binding entry. The invalid packet is dropped and recorded in the logs.
The contents recorded in the logs include VLAN ID, receiving port, sending IP address, destination IP address, sending MAC address, destination MAC address and the number of the same invalid ARP packets. The user can analyze further according to the recorded log information, such as locate the host initiating the ARP packet.
By default, the log information is output periodically. We can control the recording, outputting and aging of the packet by configuring the output interval of the log. The log output interval serves as the basis of the following log parameters:
- Log refresh period: Used to judge whether the logs need to output and age. If the configured log output interval is smaller than 5s, the log refresh period is equal to 1s. Otherwise, the log refresh period is equal to 1/5 of the log output interval.
- Log age time: After the age time times out, the logs are deleted. The log age time is the log output interval.
- Log token: In the log refresh period, the maximum number of the logs permitted to be recorded. The number of the log tokens is 15 multiples of the log refresh period.
After enabling the port DAI function, we can also configure the port ARP rate limitation function, that is, limit the number of the ARP packets that are processed every second, avoiding that the other protocol packets cannot be processed in time because the system processes lots of ARP packets for a long time.
-
The port ARP rate limitation function is to limit the number of the ARP packets that are processed every second, avoiding that the other protocol packets cannot be processed in time because the system processes lots of ARP packets for a long time. After the number of the ARP packets received in one second exceeds the rate threshold, the subsequent received ARP packets are dropped. If the ARP packets received by the port in successive 20s exceed the rate, disable the port to isolate the packet impact source.
Table 9-2 Configure the port Dynamic ARP Inspection function
Step
|
Command
|
Description
|
Enter global configuration mode
|
configure terminal
|
-
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
Enable the port DAI function
|
ip arp inspection
|
Mandatory
By default, the port DAI function is disabled.
|
Configure the upper threshold of the ARP packets processed by the port
|
ip arp inspection rate-limit limit-value
|
Optional
By default, the upper threshold of the ARP packets processed by the port is 15pps.
|
Return to the global configuration mode
|
exit
|
-
|
Configure the number of the buffered logs
|
ip arp inspection log-buffer buffer-size
|
Optional
By default, the system can buffer 32 logs.
If it is configured as 0, it indicates that the logs are not buffered, that is, after detecting the invalid ARP packet, the logs are directly output to the terminal.
|
Configure the log output interval
|
ip arp inspection log-interval seconds
|
Optional
By default, the log output interval is 20s.
If it is configured as 0, it indicates that the logs are not buffered, that is, after detecting the invalid ARP packet, the logs are directly output to the terminal.
|
Configure the log output level
|
ip arp inspection log-level log-level
|
Optional
By default, the log output level is 6.
|
-
After the port DAI function is enabled, all ARP packets received by the port (broadcast ARP and unicast ARP) are re-directed to the CPU for detecting, software forwarding, log recording and so on. When the number of the ARP packets is large, they seriously consume CPU resources, so when the device communicates normally, it is not suggested to enable the port DAI function. When it is doubted that there is ARP spoofing attack in the network, it is necessary to enable the port DAI function to detect and locate.
- In one port, the port DAI function cannot be used with the port security function at the same time.
- After configuring the rate threshold of the port processing the ARP packets in the aggregation group configuration mode, the ARP packet rate threshold of each member port of the aggregation group is the value.
- If the ARP packets received by the port in successive 20s exceed the upper threshold, but the port is not automatically disabled, it is necessary to refer to the Error-Disable chapter of the configuration manual.