Configuration Examples for DAI
Two Devices Support DAI
These procedures show how to configure DAI when two devices support DAI.
Figure 17: Two Devices Supporting DAI
The following figure shows the network configuration for this example. Host 1 is connected to device A, and
Host 2 is connected to device B. Both devices are running DAI on VLAN 1 where the hosts are located. A
DHCP server is connected to device A. Both hosts acquire their IP addresses from the same DHCP server.
Device A has the bindings for Host 1 and Host 2, and device B has the binding for Host 2. Device A Ethernet
interface 2/3 is connected to device B Ethernet interface 1/4.
DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings
in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets
that have dynamically-assigned IP addresses.
• This configuration does not work if the DHCP server is moved from device A to a different location.
• To ensure that this configuration does not compromise security, configure Ethernet interface 2/3 on
device A and Ethernet interface 1/4 on device B as trusted.
Configuring Device A
To enable DAI and configure Ethernet interface 2/3 on device A as trusted, follow these steps:
Step 1 While logged into device A, verify the connection between device A and device B.
switchA# show cdp neighbors
Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
V - VoIP-Phone, D - Remotely-Managed-Device,
s - Supports-STP-Dispute
Device ID Local Intrfce Hldtme Capability Platform Port ID
switchB Ethernet2/3 177 R S I WS-C2960-24TC Ethernet1/4
switchA#
Step 2 Enable DAI on VLAN 1 and verify the configuration.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
400
Configuring Dynamic ARP Inspection
Configuration Examples for DAI
To Next Page
Loading...
