Dynamic arp inspection configuration, Configuring an inspection arp entry – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 334

Advertising
background image

NOTE
You must save the configuration and reload the software to place the change into effect.

• Brocade does not support DAI on trunk or LAG ports.
• The maximum number of DHCP and static DAI entries depends on the maximum number of ARP

table entries allowed on the device. A FastIron Layer 2 switch can have up to 4096 ARP entries and
a FastIron Layer 3 switch can have up to 64,000 ARP entries. In a FastIron Layer 3 switch, you can
use the system-max ip-arp command to change the maximum number of ARP entries for the
device.

However, only up to 1024 DHCP entries can be saved to flash.

• ACLs are supported on member ports of a VLAN on which DHCP snooping and Dynamic ARP

Inspection (DAI) are enabled.

• On FastIron X Series devices, DAI is supported together with multi-device port authentication and

dynamic ACLs.

• DAI is supported on a VLAN without a VE, or on a VE with or without an assigned IP address.

Dynamic ARP inspection configuration

Configuring DAI consists of the following steps.

1. Configure inspection ARP entries for hosts on untrusted ports.Refer to

Configuring an inspection

ARP entry

on page 334.

2. Enable DAI on a VLAN to inspect ARP packets.Refer to

Enabling DAI on a VLAN

on page 335.

3. Configure the trust settings of the VLAN members. ARP packets received on trusted ports bypass

the DAI validation process. ARP packets received on untrusted ports go through the DAI validation
process.Refer to

Enabling trust on a port

on page 335.

4. Enable DHCP snooping to populate the DHCP snooping IP-to-MAC binding database.

The following shows the default settings of DAI.

Feature

Default

Dynamic ARP Inspection

Disabled

Trust setting for ports

Untrusted

Configuring an inspection ARP entry

Static ARP and static inspection ARP entries need to be configured for hosts on untrusted ports.
Otherwise, when DAI checks ARP packets from these hosts against entries in the ARP table, it will not
find any entries for them, and the Brocade device will not allow and learn ARP from an untrusted host.

To configure an inspection ARP entry, enter a command such as the following.

device(config)#arp 10.20.20.12 0000.0002.0003 inspection

This command defines an inspection ARP entry in the static ARP table, mapping a device IP address
10.20.20.12 with its MAC address 0000.0002.0003. ARP entry will be moved to the ARP table once
the DAI receives a valid ARP packet.

Dynamic ARP Inspection has to be enabled to use static ARP inspection entries.

Dynamic ARP inspection configuration

334

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Advertising
Popular Brands
Popular manuals