Enterasys b5

To Next Page

To Previous Page

Dynamic ARP Inspection Overview

Enterasys B5 CLI Reference 17-17

• Loopbackaddresses(intherange127.0.0.0/8)

Logging Invalid Packets

Bydefault,DAIwritesalogmessagetothenormalbufferedlogforeachinvalidARPpacketit

drops.YoucanconfigureDAItonotloginvalidpacketsforspecificVLANs.

Packet Forwarding

DAIforwardsvalidARPpacketswhosedestinationMACaddressisnotlocal.TheingressVLAN

couldbeaswitchingorroutingVLAN.ARPrequestsarefloodedintheVLAN.ARPresponsesare

unicasttowardtheirdestination.DAIqueriestheMACaddresstabletode terminetheoutgoing

port.IfthedestinationMAC

addressislocal,DAIgivesvalidARPpacketstotheARPapplication.

Rate Limiting

ToprotecttheswitchfromDHCPattackswhenDAIisenabled,theDAIapplicationenforcesarate

limitforARPpacketsreceivedonuntrustedinterfaces.DAImonitorsthereceiverateoneach

interfaceseparately.Ifthereceiverateexceedsaconfigurablelimit,DAIerrordisablesthe

interface,whicheffectivelybringsdown

theinterface.Youcanusethesetportenablecommand

toreenabletheport.

Youcanconfigureboththerateandtheburstinterval.Thedefaultrateis15ppsoneachuntrusted

interfacewitharangeof0to50pps.Thedefaultburstintervalis1secondwith

arangeto1to15

seconds..TheratelimitcannotbesetontrustedinterfacessinceARPpacketsreceivedontrusted

interfacesdonotcometotheCPU.

Eligible Interfaces

DynamicARPinspectionisenabledperVLAN,effectivelyenablingDAIonthemembersofthe

VLAN,eitherphysicalportsorLAGs.TrustisspecifiedontheVLANmembers.

DAImaybeconnectedto:

•Asinglehostthroughatrustedlink(forexample,aserver)

•Ifmultiplehostsneedtoconnected,theremust

beaswitchbetweentherouterandthehosts,

withDAIenabledonthatswitch

Interaction with Other Functions

•DAIreliesontheDHCPsnoopingapplicationtoverifythata{IPaddress,MACaddress,

VLAN,interface}tupleisvalid.

•DAIregisterswithdot1qtoreceivenotificationofVLANmembershipchangesfortheVLANs

whereDAIisenabled.

•DAItellsthedriverabouteachuntrustedinterface(physicalportorLAG)where

DAIis

enabledsothatthehardwarewillinterceptARPpacketsandsendthemtotheCPU.