Dynamic ARP Inspection Overview
17-18 DHCP Snooping and Dynamic ARP Inspection
Basic Configuration
Thefollowingbasicconfigurationdoesnotchangethedefaultratelimitingparameters.
Procedure 17-2 Basic Dynamic ARP Inspection Configuration
Step Task Command(s)
1. Configure DHCP snooping. Refer to Procedure 17-1 on page 17-3.
2. Enable ARP inspection on the VLANs where
clients are connected, and optionally, enable
logging of invalid ARP packets.
set arpinspection vlan vlan-range
[logging]
3. Determine which ports are not security threats
and configure them as DAI trusted ports.
set arpinspection trust port
port-string enable
4. If desired, configure optional validation
parameters.
set arpinspection validate
{[src-mac] [dst-mac] [ip]}
5. If desired, configure static mappings for DAI by
creating ARP ACLs:
• Create the ARP ACL
• Apply the ACL to a VLAN
set arpinspection filter name permit
ip host sender-ipaddr mac host
sender-macaddr
set arpinspection filter name vlan
vlan-range [static]
To Next Page
Loading...