associated with an ARP entry determines which VRF the ARP entry belongs to. However, the additional management involved in adding
and maintaining static ARP cache entries must also be taken into account.
An ARP entry is dened by the following parameters:
• IP address
• MAC address
• Type
• Interface
The arp command is used to congure static ARP entries on a nondefault VRF interface. (An ARP index is not required before a static
ARP is congured.) The arp command is available in the address-family mode for a particular VRF.
NOTE
The arp command is backward compatible from FastIron release 08.0.00a, which uses a new command format. In releases
prior to FastIron release 08.0.00a, static ARP needed an index. For FastIron 08.0.00a and later releases, FastIron accepts the
use of indexes as well as the new command without the index.
Proxy ARP
Proxy ARP allows a Layer 3 switch to answer ARP requests from devices on one subnet on behalf of devices in another network. Proxy
ARP is
congured globally and can be further congured per interface. Interface-level conguration overrides the global conguration.
With the proxy-arp command congured, a router does not respond to ARP requests for IP addresses in the same subnet as the
incoming ports. The local-proxy-arp command permits the router to respond to ARP requests for IP addresses within the same subnet
and to forward all trac between hosts in the subnet. The local-proxy-arp command is an interface-level conguration that has no VRF-
related impact.
ARP rate limiting
ARP rate limiting is
congured globally and applies to all VRFs.
ARP age can be congured globally and on a Layer 3 interface. An ARP age timer congured on a Layer 3 interface overrides the global
conguration for ARP aging. The aging timer ensures that the ARP cache does not retain learned entries that are no longer valid.
Dynamic ARP inspection
Dynamic ARP Inspection (DAI) enables the Brocade device to intercept and examine all ARP request and response packets in a subnet
and to discard packets with invalid IP-to-MAC address bindings. DAI can prevent common man-in-the-middle (MiM) attacks such as
ARP cache poisoning and can prevent the misconguration of client IP addresses. DAI allows only valid ARP requests and responses to
be forwarded, and supports Multi-VRFs with overlapping address spaces. For more information on DAI, refer to the FastIron Ethernet
Switch Security Conguration Guide.
DHCP snooping
Dynamic Host
Conguration Protocol (DHCP) snooping enables a Brocade device to lter untrusted DHCP IPv4 or IPv6 packets in a
subnet. DHCP snooping can ward o MiM attacks, such as a malicious user posing as a DHCP server sending false DHCP server reply
packets with the intention of misdirecting other users. DHCP snooping can also stop unauthorized DHCP servers and prevent errors
resulting from the user misconguration of DHCP servers. DHCP snooping supports Multi-VRFs. For more information on conguring
DHCP IPv4 or IPv6 snooping to support a Multi-VRF instance, refer to the FastIron Ethernet Switch Security Conguration Guide.
Multi-VRF overview
FastIron Ethernet Switch Layer 3 Routing
562 53-1003627-04