To Next Page

To Previous Page

Dynamic ARP Inspection Overview

17-18 DHCP Snooping and Dynamic ARP Inspection

Basic Configuration

Thefollowingbasicconfigurationdoesnotchange thedefaultratelimitingparameters.

Example Configuration

ThefollowingexampleconfiguresDHCPsnoopinganddynamicARPinspectioninarouting

environmentusingRIP.Theexampleconfigurestwointerfacesontheswitch,configuringRIPon

bothinterfaces,assigningeachtoadifferentVLAN,andthenenablingDHCPsnoopingand

dynamicARPinspection onthem:

•Interfacege.1.1,whichisconnected

toaremoteDHCPserver,onVLAN192

•Interfacege.1.2,whichisconnectedtoDHCPclients,onVLAN10

Inaddition,thedefaultVLAN,VLAN1,isalsoenabledforDHCPsnoopinganddynamicARP

inspection.

SincetheDHCPserverisremote,theswitchhasbeenconfiguredasaDHCPrelayagent

(withthe

iphelper‐addresscommand),toforwardclientrequeststotheDHCPserver.Therefore,MAC

addressverificationisdisabled(withthesetdhcpsnoopingverifymac‐addressdisable

command)inordertoallowDHCPRELEASEpacketstobeprocessedbytheDHCPsnooping

functionalityandclientbindingsremovedfromthebindings

database

Router Configuration

router

enable

configure

interface vlan 10

no shutdown

ip address 10.2.0.1 255.255.0.0

ip helper-address 192.168.0.200

ip rip send version 2

ip rip receive version 2

ip rip enable

Procedure 17-2 Basic Dynamic ARP Inspection Configuration

Step Task Command(s)

1. Configure DHCP snooping. Refer to Procedure 17-1 on page 17-3.

2. Enable ARP inspection on the VLANs where

clients are connected, and optionally, enable

logging of invalid ARP packets.

set arpinspection vlan vlan-range

[logging]

3. Determine which ports are not security threats

and configure them as DAI trusted ports.

set arpinspection trust port

port-string enable

4. If desired, configure optional validation

parameters.

set arpinspection validate

{[src-mac] [dst-mac] [ip]}

5. If desired, configure static mappings for DAI by

creating ARP ACLs:

• Create the ARP ACL

• Apply the ACL to a VLAN

set arpinspection filter name permit

ip host sender-ipaddr mac host

sender-macaddr

set arpinspection filter name vlan

vlan-range [static]

Brand	Enterasys
Model	SecureStack C2 C2G170-24
Category	Switch
Language	English

Enterasys SecureStack C2 C2G170-24 User Manual

Table of Contents

Other manuals for Enterasys SecureStack C2 C2G170-24

Questions and Answers:

Enterasys SecureStack C2 C2G170-24 Specifications

Related product manuals