Command
|
Purpose
|
Ip arp inspection vlan vlan-range
|
Global command to enable DAI on this switch for the specified VLANs
|
[no] ip arp inspection trust
|
Interface subcommand that enable or disable DAI on the interface.
|
Ip arp inspection filter arp-acl-name
vlan vlan-range [static]
|
Global command to refer to an ARP ACL that defines static IP/MAC
address to be checked by DAI for that VLAN (step-2)
|
Ip arp inspection validate {[src-mac] [dst-mac] [ip]}
|
Enables additional optional checking of ARP messages (per step 3-5)
in the preceding list)
|
Ip arp inspection limit {rate
pps [burst interval seconds] | none
}
|
Limits the ARP message rate to prevent DoS attacks carried out by
sending a large number or ARPs.
|
- DAI automatically sets a limit of 15 ARP messages per port per second to mitigate that risk
- ip arp inspection limit uses to change these default value