Implement Rate Limiting for ARP Guard

You can implement ACL-based rate limiting for ARP Guard on a physical interface or a port-channel.

About this task

For more information about ACL-based rate limiting, see the Extreme SLX-OS QoS and Traffic Management Configuration Guide.

Procedure

  1. Access global configuration mode. 
    device# configure terminal
  2. Create an ACL. 
    device(config)# mac access-list extended rate-limit-acl_1
    This example creates an ACL named rate-limit-acl_1.
  3. Create the ACL rules that you want to implement. 
    device(conf-macl-ext)# permit host 0014.2211.1111 any vlan 100 arp arp-guard
device(conf-macl-ext)# permit host 0014.2211.1112 any vlan 101 arp arp-guard
device(conf-macl-ext)# deny any any arp
device(conf-macl-ext)# permit any any
  4. Create a class map. 
    device(config)# class-map arp-guard-class
  5. Associate the class map with the ACL. 
    device(config-classmap)# match access-group rate-limit-acl_1
  6. Return to global configuration mode. 
    device(config-classmap)# exit
  7. Create a policy map. 
    device(config)# policy-map arp-guard-pmap
  8. Associate the class map with the policy map. 
    device(config-policymap)# class arp-guard-class
  9. Specify class police parameters. 
    device(config-policymap-class)# police cir 100000
  10. Return to global configuration mode. 
    device(config-policymap-class-police)# end
  11. Enter configuration mode for the relevant interface. 
    device# configure terminal
device(config)# interface ethernet 1/2
  12. Bind the policy map to the interface. 
    device(conf-if-eth-1/2)# service-policy in arp-guard-pmap

Example

The following example summarizes the commands in this procedure.
device# configure terminal
device(config)# mac access-list extended rate-limit-acl_1
device(conf-macl-ext)# permit host 0014.2211.1111 any vlan 100 arp arp-guard
device(conf-macl-ext)# permit host 0014.2211.1112 any vlan 101 arp arp-guard
device(conf-macl-ext)# deny any any arp
device(conf-macl-ext)# permit any any
device(config)# class-map arp-guard-class
device(config-classmap)# match access-group rate-limit-acl_1
device(config-classmap)# exit
device(config)# policy-map arp-guard-pmap
device(config-policymap)# class arp-guard-class
device(config-policymap-class)# police cir 100000
device(config-policymap-class-police)# end
device# configure terminal
device(config)# interface ethernet 1/2
device(conf-if-eth-1/2)# service-policy in arp-guard-pmap
9036959-00 Rev AA