Implement Rate Limiting for ARP Guard

For more information about ACL-based rate limiting, see the Extreme SLX-OS QoS and Traffic Management Configuration Guide.

1. Access global configuration mode.
   

   device# configure terminal

2. Create an ACL.
   

   device(config)# mac access-list extended rate-limit-acl_1

   This example creates an ACL named rate-limit-acl_1.
3. Create the ACL rules that you want to implement.
   

   device(conf-macl-ext)# permit host 0014.2211.1111 any vlan 100 arp arp-guard
   device(conf-macl-ext)# permit host 0014.2211.1112 any vlan 101 arp arp-guard
   device(conf-macl-ext)# deny any any arp
   device(conf-macl-ext)# permit any any
   

4. Create a class map.
   

   device(config)# class-map arp-guard-class
   

5. Associate the class map with the ACL.
   

   device(config-classmap)# match access-group rate-limit-acl_1
   

6. Return to global configuration mode.
   

   device(config-classmap)# exit
   

7. Create a policy map.
   

   device(config)# policy-map arp-guard-pmap
   

8. Associate the class map with the policy map.
   

   device(config-policymap)# class arp-guard-class
   

9. Specify class police parameters.
   

   device(config-policymap-class)# police cir 100000
   

10. Return to global configuration mode.
    

    device(config-policymap-class-police)# end
    

11. Enter configuration mode for the relevant interface.
    

    device# configure terminal
    device(config)# interface ethernet 1/2
    

12. Bind the policy map to the interface.
    

    device(conf-if-eth-1/2)# service-policy in arp-guard-pmap
    

The following example summarizes the commands in this procedure.

device# configure terminal
device(config)# mac access-list extended rate-limit-acl_1
device(conf-macl-ext)# permit host 0014.2211.1111 any vlan 100 arp arp-guard
device(conf-macl-ext)# permit host 0014.2211.1112 any vlan 101 arp arp-guard
device(conf-macl-ext)# deny any any arp
device(conf-macl-ext)# permit any any
device(config)# class-map arp-guard-class
device(config-classmap)# match access-group rate-limit-acl_1
device(config-classmap)# exit
device(config)# policy-map arp-guard-pmap
device(config-policymap)# class arp-guard-class
device(config-policymap-class)# police cir 100000
device(config-policymap-class-police)# end
device# configure terminal
device(config)# interface ethernet 1/2
device(conf-if-eth-1/2)# service-policy in arp-guard-pmap