set arpinspection trust
23-20 DHCP Snooping and Dynamic ARP Inspection
Example
This example enables DAI on VLANs 2 through 5 and also enables logging of invalid ARP packets
on those VLANs.
C3(su)->set arpinspection vlan 2-5 logging
set arpinspection trust
Use this command to enable or disable a port as a dynamic ARP inspection trusted port.
Syntax
set arpinspection trust port port-string {enable | disable}
Parameters
Defaults
By default, all physical ports and LAGs are untrusted.
Mode
Switch command, read-write.
Usage
Individual interfaces are configured as trusted or untrusted. The trust configuration for DAI is
independent of the trust configuration for DHCP snooping. A trusted port is a port the network
administrator does not consider to be a security threat. An untrusted port is one which could
potentially be used to launch a network attack.
DAI considers all physical ports and LAGs untrusted by default. Packets arriving on trusted
interfaces bypass all DAI validation checks.
Example
This example enables port ge.1.1 as trusted for DAI.
C3(su)->set arpinspection trust port ge.1.1 enable
set arpinspection validate
Use this command to configure additional optional ARP validation parameters.
Syntax
set arpinspection validate {[src-mac] [dst-mac] [ip]}
Parameters
port-string Specifies the port or ports to be enabled or disabled as DAI trusted
ports. The ports can be physical ports or LAGs that are members of a
VLAN.
enable | disable Enables or disables the specified ports as trusted for DAI.
src-mac Specifies that DAI should verify that the sender MAC address equals
the source MAC address in the Ethernet header.
To Next Page
Loading...
