Configuration Guide Dynamic ARP Inspection Configuration
Configuration
DAI is an ARP-based security filtering technology. A series of filtering policies
are configured, so that validity of ARP packets that pass the device is checked
more effectively.
To use the functions of DAI, selectively perform the following tasks:
Enabling DAI Packet Check Function for Specified VLAN (required)
Set Trust Status of Port (optional)
Set the Maximum Rate of Receiving ARP Packets on the Port(Optional)
Related Configuration of DHCP Snooping Database (optional)
Enabling DAI Packet Check Function for Specified VLAN
By default, the DAI packet check function is disabled for all VLANs.
If no DAI packet check function has enabled VLAN vid, DAI-related security
check will be skipped for the ARP packets with vlan-id = vid (ARP packet rate
restriction is not skipped).
Use the show ip arp inspection vlan command to check whether the DAI
packet check function has been enabled for all VLANs.
To configure the DAI packet check function for VLAN, execute the following
commands in the interface configuration mode:
Turn off the DAI packet check function switch for
VLAN vlan-id
Disable the DAI packet check function for all
VLANs if vlan-id is ignored
Setting the Trust Status of Port
This command is used in the layer 2 interface configuration mode, and this layer
2 interface is a member port of SVI.
All the layer 2 ports are untrusted by default.
If the port is trusted, ARP packets will not be check further. Otherwise, the
validity of the current ARP packet will be checked using information in the
DHCP snooping database.
To Next Page
Loading...
Need help?
General