Can I increase arp inspection limit rate GLOBALLY, if not, why?

keithsauer507 · ‎01-15-2018

We enabled DHCP snooping 2 weeks ago on one of our switch stacks. Now since the database is built up and we pre-programmed any static bindings and trusted ports, today we turned on arp inspection.

I'm having an issue with 3 Windows 7 machines seeming to go into err-disable for 60 seconds due to what could be invalid arps / rate limiting.

I see by default the rate limit is 15 pps, and for example this log entry clearly states the issue of why the port went into err-disable:

%SW_DAI-4-PACKET_RATE_EXCEEDED: 18 packets received in 41 milliseconds on Gi3/0/41

So I found the command ip arp inspection limit rate (number) but the switch will NOT accept it at the global config. For now I went into the 3 interfaces with this issue and changed it to ip arp inspection limit rate 50 and I will monitor.

Isn't there a way to set this globally? Sure I guess you can use interface range commands, but then it may get put on my trusted ports and I'm not sure if that will cause some kind of conflict, bug, or just make the config look messy.

Switches and software version in the stack:

* 1 52 WS-C3750V2-48TS 15.0(2)SE4 C3750-IPSERVICESK9-M
2 26 WS-C3750V2-24TS 15.0(2)SE4 C3750-IPSERVICESK9-M
3 54 WS-C3750X-48P 15.0(2)SE4 C3750E-UNIVERSALK9-M

Thanks in advance for any advice you may have!

Reza Sharifi · ‎01-15-2018

The "ip arp inspection limit" command is only available under the interface and not globally. I tried it on a later version of 3850 series and it is only available under the interface.

HTH

johndesgarennes · ‎01-18-2018

No, Ip have the same problem, I just did a range command on the ports. BTW rate lime of 50 is what we have and it seems to work. I have had a few disconnects with that setting even when using apps like dameware that seem to trigger this event.