DES-7200 Configuration Guide Chapter 10 Dynamic ARP Inspection Configuration
10-3
10.1.4 Limiting the Rate of ARP
Packets
Checking DAI validity will consume a certain CPU resources. Limiting the rate of ARP
packets, namely the number of ARP packets received per second, can efficiently
prevent the DAI-specific DoS attack. By default, 15 ARP packets are received on an
untrusted port per second. This limit does not apply to a trusted port. You can
configure rate limit with the ip arp inspection limit-rate command on the Layer 2
interface configuration mode.
For details, refer to ip arp inspection limit-rate and show ip arp inspection
interface.
10.2 Configuring DAI
DAI is an ARP-based security filtering technology. A series of filtering policies are configured,
so that validity of ARP packets that pass the device is checked more effectively.
To use the functions of DAI, selectively perform the following tasks:
Enabling DAI Packet Check Function for Specified VLAN (required)
Set Trust Status of Port (optional)
Set the Maximum Rate of Receiving ARP Packets on the Port(Optional)
Related Configuration of DHCP Snooping Database (optional)
10.2.1 Enabling DAI Packet Check
Function for Specified VLAN
By default, the DAI packet check function is disabled for all VLANs.
If no DAI packet check function has enabled VLAN vid, DAI-related security check will be
skipped for the ARP packets with vlan-id = vid (ARP packet rate restriction is not skipped).
Use the show ip arp inspection vlan command to check whether the DAI packet check
function has been enabled for all VLANs.
To configure the DAI packet check function for VLAN, execute the following commands in the
interface configuration mode:
Command Function
DES-7200(config)# ip arp inspection vlan
vlan-id
Turn on the DAI packet check function switch for
VLAN vlan-id