switchA# configure terminal
switchA(config)# ip arp inspection vlan 1
switchA(config)# show ip arp inspection vlan 1
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan : 1
-----------
Configuration : Enabled
Operation State : Active
switchA(config)#
Step 3 Configure Ethernet interface 2/3 as trusted.
switchA(config)# interface ethernet 2/3
switchA(config-if)# ip arp inspection trust
switchA(config-if)# exit
switchA(config)# exit
switchA# show ip arp inspection interface ethernet 2/3
Interface Trust State Rate (pps) Burst Interval
------------- ----------- ---------- --------------
Ethernet2/3 Trusted 15 5
Step 4 Verify the bindings.
switchA# show ip dhcp snooping binding
MacAddress IpAddress LeaseSec Type VLAN Interface
----------------- --------------- -------- ------------- ---- -------------
00:60:0b:00:12:89 10.0.0.1 0 dhcp-snooping 1 Ethernet2/3
switchA#
Step 5 Check the statistics before and after DAI processes any packets.
switchA# show ip arp inspection statistics vlan 1
Vlan : 1
-----------
ARP Req Forwarded = 0
ARP Res Forwarded = 0
ARP Req Dropped = 0
ARP Res Dropped = 0
DHCP Drops = 0
DHCP Permits = 0
SMAC Fails-ARP Req = 0
SMAC Fails-ARP Res = 0
DMAC Fails-ARP Res = 0
IP Fails-ARP Req = 0
IP Fails-ARP Res = 0
switchA#
If host 1 sends out two ARP requests with an IP address of 10.0.0.1 and a MAC address of 0002.0002.0002, both requests
are permitted and are shown as follows:
switchA# show ip arp inspection statistics vlan 1
Vlan : 1
-----------
ARP Req Forwarded = 2
ARP Res Forwarded = 0
ARP Req Dropped = 0
ARP Res Dropped = 0
DHCP Drops = 0
DHCP Permits = 2
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
401
Configuring Dynamic ARP Inspection
Configuring Device A
To Next Page
Loading...
