Enabling dynamic arp inspection on a vlan, Configuring static arp on a vlan and port, Enabling trust on a port – Brocade Multi-Service IronWare Switching Configuration Guide (Supporting R05.6.00) User Manual

Page 786

Advertising
background image

756

Multi-Service IronWare Switching Configuration Guide

53-1003036-02

Dynamic ARP inspection

19

Enabling dynamic ARP inspection on a VLAN

ARP and Dynamic inspection ARP entries need to be configured for hosts on untrusted ports.
Otherwise, when Dynamic ARP Inspection checks ARP packets from these hosts against entries in
the ARP table, it will not find any entries for them, and the device will not allow and learn ARP from
an untrusted host.

Dynamic ARP Inspection is disabled by default. To enable Dynamic ARP Inspection on an existing
VLAN or a range of VLANs, enter the following command.

Brocade(config)# ip arp-inspection vlan 18 to 20

The command enables Dynamic ARP Inspection on VLAN 18 through VLAN 20. ARP packets from
untrusted ports in VLAN 18 through VLAN 20 will undergo Dynamic ARP Inspection.

Syntax: [no] ip-arp inspection vlan vlan_id to vlan_id

The vlan_id variable specifies the ID of a configured VLAN or VLAN range. Valid VLAN ranges are
1-4090.

Configuring static ARP on a VLAN and port

In the Brocade device configuration, the DHCP binding database is integrated with the ARP
Inspection table. The ARP inspection table stores the DAI IP/MAC binding information, which is
used to build the IP source guard ACL. The static arp command allows you to configure both the
vlan id and port parameters on a layer 2 interface.

To configure a static arp entry for a vlan id, enter the following command.

Brocade(config)#arp 10.1.0.2 aabb.cc00.0100 vlan 10

Syntax: [no] arp ip mac [ vlan vlan_id] [port]

The ip variable specifies the IP address for the static IP ARP entry.

The mac variable specifies the MAC address for the static IP ARP entry.

The vlan_id variable configures the static ARP entry for a vlan. The VLAN ID range is 1-4090.

The port variable configures the static ARP entry for a port.

If the vlan id is not configured when IP source guard is turned on, the IP address is assumed to be
valid on all the vlans on the port.

If both the vlan id and the port are not configured when IP source guard is turned on, the IP
address is assumed to be valid for all vlans.

Enabling trust on a port

The default trust setting for a port is untrusted. For ports that are connected to host ports, leave
their trust settings as untrusted.

To enable trust on a port, enter commands such as the following.

Feature

Default

Dynamic ARP Inspection

Disabled

Trust setting for ports

Untrusted

Advertising
Popular Brands
Popular manuals