beautypg.com

Multi-vrf support, Enabling trust on a port for a specific vrf, Dhcp snooping – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 336

background image

2 10.43.1.78 0000.0060.6ab1

Dynamic 2 mgmt1 Valid

The command displays all ARP entries in the system. For field definitions, refer to Table 25 in the
FastIron Ethernet Switch Layer 3 Routing Configuration Guide .

Syntax: show arp

Multi-VRF support

DAI supports Multi-VRF (Virtual Routing and Forwarding) instances. You can deploy multiple VRFs on
a Brocade Ethernet switch. Each VLAN having a Virtual Interface (VE) is assigned to a VRF.

You can enable DAI on individual VLANs and assign any interface as the arp inspect trust interface. If
an interface is a tagged port in this VLAN, you can turn on the trust port per VRF, so that traffic
intended for other VRF VLANs will not be trusted.

To configure DAI to support a VRF instance, do the following:

• DAI requires that the acl-per-port-per-vlan setting be enabled. To enable the setting:

Brocade(config)# enable acl-per-port-per-vlan

Reload required. Please write memory and then reload or power cycle.

• Configure DAI on a VLAN using the ip arp inspection vlan vlan-id command . For example:

Brocade(config)# ip arp inspection vlan 2

Syntax: ip arp inspection vlan vlan-id

• To add an static ARP Inspection entry for a specific VRF, use arp ip-address mac-address

inspection command in the VRF CLI - context. For example:

Brocade(config-vrf-one-ipv4)#arp 5.5.5.5 00a2.bbaa.0033 inspection

Syntax: arp ip-address mac-address inspection

Enabling trust on a port for a specific VRF

The default trust setting for a port is untrusted. For ports that are connected to host ports, leave their
trust settings as untrusted.

To enable trust on a port for a specific VRF, enter commands such as the following.

Brocade(config)#interface ethernet 1/4

Brocade(config-if-e10000-1/4)#arp inspection trust vrf vrf2

The commands change the CLI to the interface configuration level of port 1/4 and set the trustsetting
of port 1/4 on VRF 2 to trusted.

Syntax: [no] arp inspection trust vrf vrf-name

DHCP snooping

Dynamic Host Configuration Protocol (DHCP) snooping enables the Brocade device to filter untrusted
DHCP packets in a subnet. DHCP snooping can ward off MiM attacks, such as a malicious user
posing as a DHCP server sending false DHCP server reply packets with the intention of misdirecting

Multi-VRF support

336

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: