Enterasys C3G124-24 - Basic Configuration; Example Configuration

Enterasys C3G124-24

954 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

Dynamic ARP Inspection Overview

Enterasys C3 Configuration Guide 23-17

Basic Configuration

The following basic configuration does not change the default rate limiting parameters.

Example Configuration

The following example configures DHCP snooping and dynamic ARP inspection in a routing

environment using RIP. The example configures two interfaces on the switch, configuring RIP on

both interfaces, assigning each to a different VLAN, and then enabling DHCP snooping and

dynamic ARP inspection on them:

• Interface ge.1.1, which is connected to a remote DHCP server, on VLAN 192

• Interface ge.1.2, which is connected to DHCP clients, on VLAN 10

In addition, the default VLAN, VLAN 1, is also enabled for DHCP snooping and dynamic ARP

inspection.

Since the DHCP server is remote, the switch has been configured as a DHCP relay agent (with the

ip helper-address command), to forward client requests to the DHCP server. Therefore, MAC

address verification is disabled (with the set dhcpsnooping verify mac-address disable

command) in order to allow DHCP RELEASE packets to be processed by the DHCP snooping

functionality and client bindings removed from the bindings database

Router Configuration

router

enable

configure

interface vlan 10

no shutdown

ip address 10.2.0.1 255.255.0.0

Procedure 23-2 Basic Dynamic ARP Inspection Configuration

Step Task Command(s)

1. Configure DHCP snooping. Refer to Procedure 23-1 on page 23-3.

2. Enable ARP inspection on the VLANs where

clients are connected, and optionally, enable

logging of invalid ARP packets.

set arpinspection vlan vlan-range

[logging]

3. Determine which ports are not security threats

and configure them as DAI trusted ports.

set arpinspection trust port

port-string enable

4. If desired, configure optional validation

parameters.

set arpinspection validate

{[src-mac] [dst-mac] [ip]}

5. If desired, configure static mappings for DAI by

creating ARP ACLs:

• Create the ARP ACL

• Apply the ACL to a VLAN

set arpinspection filter name permit

ip host sender-ipaddr mac host

sender-macaddr

set arpinspection filter name vlan

vlan-range [static]

T

Note: This example applies only to platforms that support routing.

Table of Contents

Related product manuals

Preview: Enterasys SecureStack C2

Enterasys SecureStack C2

Preview: SecureStack C2 C2G124-24

SecureStack C2 C2G124-24

Preview: Enterasys D-Series

Enterasys D-Series

Preview: Enterasys B5G124-24

Enterasys B5G124-24

Enterasys A4H124-48P

Enterasys 08G20G4-48

Preview: Enterasys B5G124-24P2

Enterasys B5G124-24P2

Enterasys SSA-G1018-0652

Preview: Enterasys Matrix 2G4072-52

Enterasys Matrix 2G4072-52

Preview: Enterasys Matrix-V V2H124-24

Enterasys Matrix-V V2H124-24

Preview: Enterasys Matrix E1 1H582-51

Enterasys Matrix E1 1H582-51

Preview: SecureStack B2 B2G124-48P

SecureStack B2 B2G124-48P