Use this command to configure the attack threshold on a specified interface for ARP packets attack detection at a given rate measured in packets-per-second. The ARP packets attack threshold on the interface can be configured independently on a per-port basis and on a per-host basis (hosts identified based on source IP address, VLAN ID, and port and hosts identified based on the link-layer source MAC address, VLAN ID, and port).
The attack threshold on the port for a given tracking type should always equal or exceed the corresponding rate limit on the port. An error occurs if configured otherwise. An exception to this is the value 0 - it is okay to have a rate limit but not an attack detect threshold of 0.
| Format | arp-guard attack-threshold { per-src-ip | per-src-mac | per-port } pps |
| Mode | Interface Config |
| Parameter | Description |
|---|---|
| per-src-ip | Detects ARP attacks on the specified interface by hosts identified by source IP address. |
| per-src-mac | Detects ARP attacks on the specified interface by hosts identified by source MAC address. |
| per-port | Detects ARP attacks on the specified interface. |
| pps | Indicates the rate limit on the specified interface in packets-per-second, ranging from 0 to 300. A value of zero (0) means no limit - the value is not tracked. |
Example: The following example sets the rate-limit on interface 1/0/2 for hosts identified by source MAC address.
(Switching)(Interface-1/0/2-Config)# arp-guard attack-threshold per-src-mac 100
