Enterasys SecureStack C2 C2G170-24

Enterasys SecureStack C2 C2G170-24

698 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

Dynamic ARP Inspection Overview

SecureStack C2 Configuration Guide 17-17

• Loopbackaddresses(intherange127.0.0.0/8)

Logging Invalid Packets

Bydefault,DAIwritesalogmessagetothenormalbufferedlogforeachinvalidARPpacketit

drops.YoucanconfigureDAItonotloginvalidpacketsforspecificVLANs.

Packet Forwarding

DAIforwardsvalidARPpacketswhosedestinationMACaddressisnotlocal.TheingressVLAN

couldbeaswitchingorroutingVLAN.ARPrequestsarefloodedintheVLAN.ARPresponsesare

unicasttowardtheirdestination.DAIqueriestheMACaddresstabletodetermin ethe outgoing

port.IfthedestinationMAC

addressislocal,DAIgivesvalidARPpacketstotheARPapplication.

Rate Limiting

ToprotecttheswitchfromDHCPattackswhenDAIisenabled,theDAIapplicationenforcesarate

limitforARPpacketsreceivedonuntrustedinterfaces.DAImonitorsthereceiverateoneach

interfaceseparately.Ifthereceiverateexceedsaconfigurablelimit,DAIerrordisablesthe

interface,whicheffectivelybringsdown

theinterface.Youcanusethesetportenablecommand

toreenabletheport.

Youcanconfigureboththerateandtheburstinterval.Thedefaultrateis15ppsoneachuntrusted

interfacewitharangeof0to100pps.Thedefaultburstintervalis1secondwith

arangeto1to15

seconds..TheratelimitcannotbesetontrustedinterfacessinceARPpacketsreceivedontrusted

interfacesdonotcometotheCPU.

Eligible Interfaces

DynamicARPinspectionisenabledperVLAN,effectivelyenablingDAIonthemembersofthe

VLAN,eitherphysicalportsorLAGs.TrustisspecifiedontheVLANmembers.

DAIcannotbeenabledonport‐basedroutinginterfaces.Itmaybeconnectedto:

•Asinglehostthroughatrustedlink(forexample,

aserver)

•Ifmultiplehostsneedtoconnected,theremustbeaswitchbetweentherouterandthehosts, 

withDAIenabledonthatswitch

Interaction with Other Functions

•DAIreliesontheDHCPsnoopingapplicationtoverifythata{IPaddress,MACaddress,

VLAN,interface}tupleisvalid.

•DAIregisterswithdot1qtoreceivenotificationofVLANmembershipchangesfortheVLANs

whereDAIisenabled.

•DAItellsthedriverabouteachuntrustedinterface(physicalportorLAG)where

DAIis

enabledsothatthehardwarewillint erceptARPpacketsand sendthemtotheCPU.

Table of Contents

Other manuals for Enterasys SecureStack C2 C2G170-24

Hardware Installation Guide74 pages

Related product manuals

Preview: SecureStack C2 C2G124-24

SecureStack C2 C2G124-24

Preview: Enterasys SecureStack C2

Enterasys SecureStack C2

Preview: SecureStack A2 A2H124-24

SecureStack A2 A2H124-24

Preview: SecureStack B3 B3G124-48

SecureStack B3 B3G124-48

SecureStack A2 A2H254-16

Preview: SecureStack B3 B3G124-24P

SecureStack B3 B3G124-24P

Preview: SecureStack B2 B2G124-48P

SecureStack B2 B2G124-48P

Enterasys SSA-G1018-0652

Preview: Enterasys C3G124-24

Enterasys C3G124-24

Preview: Enterasys B5G124-24

Enterasys B5G124-24

Preview: Enterasys 08H20G4-24

Enterasys 08H20G4-24

Preview: Enterasys Matrix-V V2H124-24

Enterasys Matrix-V V2H124-24