Dynamic ARP Inspection
26-24 Configuring Security Features
Basic Configuration
Procedure 26-7 below lists the commands used to configure DAI. Refer to the CLI Reference for
your platform for command details.
Default Parameter Values
Managing Dynamic ARP Inspection
Table 26-13 on page 24 lists the commands to display dynamic ARP inspection information.
Table 26-14 on page 25 lists the commands to manage dynamic ARP inspection. Refer to the CLI
Reference for your platform for command details.
Procedure 26-7 Basic Dynamic ARP Inspection Configuration
Step Task Command(s)
1. Configure DHCP snooping. Refer to Procedure 26-6 on page 26-20.
2. Enable ARP inspection on the VLANs where
clients are connected, and optionally, enable
logging of invalid ARP packets.
set arpinspection vlan vlan-range
[logging]
3. Determine which ports are not security threats
and configure them as DAI trusted ports.
set arpinspection trust port
port-string enable
4. If desired, configure optional validation
parameters.
set arpinspection validate
{[src-mac] [dst-mac] [ip]}
5. If desired, change the default rate limiting
parameters for incoming ARP packets on a port
or ports.
set arpinspection limit port
port-string {none | rate pps {burst
interval secs]}
6. If desired, configure static mappings for DAI by
creating ARP ACLs:
• Create the ARP ACL
• Apply the ACL to a VLAN
set arpinspection filter name permit
ip host sender-ipaddr mac host
sender-macaddr
set arpinspection filter name vlan
vlan-range [static]
Table 26-12 Dynamic ARP Inspection Default Parameters
Parameter Default Setting
Dynamic ARP inspection Disabled on all VLANs
Logging of invalid ARP packets Disabled
Trust state of all physical ports and
LAGs
Untrusted
Rate limit for incoming ARP packets 15 packets per second
Burst interval 1 second
Table 26-13 Displaying Dynamic ARP Inspection Information
Task Command
To display ARP access list configuration information show arpinspection access-list
[acl-name]
To display the ARP configuration of one or more ports show arpinspection ports
[port-string]
To Next Page
Loading...
Need help?
General