Implement Rate Limiting for ARP Guard

You can implement ACL-based rate limiting for ARP Guard on a physical interface or a port-channel.

About this task

For more information about ACL-based rate limiting, see the Extreme SLX-OS QoS and Traffic Management Configuration Guide.

Procedure

  1. Access global configuration mode.
    device# configure terminal
  2. Create an ACL.
    device(config)# mac access-list extended rate-limit-acl_1
    This example creates an ACL named rate-limit-acl_1.
  3. Create the ACL rules that you want to implement.
    device(conf-macl-ext)# permit host 0014.2211.1111 any vlan 100 arp arp-guard
    device(conf-macl-ext)# permit host 0014.2211.1112 any vlan 101 arp arp-guard
    device(conf-macl-ext)# deny any any arp
    device(conf-macl-ext)# permit any any
    
  4. Create a class map.
    device(config)# class-map arp-guard-class
    
  5. Associate the class map with the ACL.
    device(config-classmap)# match access-group rate-limit-acl_1
    
  6. Return to global configuration mode.
    device(config-classmap)# exit
    
  7. Create a policy map.
    device(config)# policy-map arp-guard-pmap
    
  8. Associate the class map with the policy map.
    device(config-policymap)# class arp-guard-class
    
  9. Specify class police parameters.
    device(config-policymap-class)# police cir 100000
    
  10. Return to global configuration mode.
    device(config-policymap-class-police)# end
    
  11. Enter configuration mode for the relevant interface.
    device# configure terminal
    device(config)# interface ethernet 1/2
    
  12. Bind the policy map to the interface.
    device(conf-if-eth-1/2)# service-policy in arp-guard-pmap
    

Example

The following example summarizes the commands in this procedure.
device# configure terminal
device(config)# mac access-list extended rate-limit-acl_1
device(conf-macl-ext)# permit host 0014.2211.1111 any vlan 100 arp arp-guard
device(conf-macl-ext)# permit host 0014.2211.1112 any vlan 101 arp arp-guard
device(conf-macl-ext)# deny any any arp
device(conf-macl-ext)# permit any any
device(config)# class-map arp-guard-class
device(config-classmap)# match access-group rate-limit-acl_1
device(config-classmap)# exit
device(config)# policy-map arp-guard-pmap
device(config-policymap)# class arp-guard-class
device(config-policymap-class)# police cir 100000
device(config-policymap-class-police)# end
device# configure terminal
device(config)# interface ethernet 1/2
device(conf-if-eth-1/2)# service-policy in arp-guard-pmap