Configuring dai, Arp entries – Brocade Multi-Service IronWare Switching Configuration Guide (Supporting R05.6.00) User Manual
Page 785
Multi-Service IronWare Switching Configuration Guide
755
53-1003036-02
Dynamic ARP inspection
19
DAI inspects ARP packets received on untrusted ports, as shown in
. DAI carries out the
inspection based on IP-to-MAC address bindings stored in a trusted binding database. For the
Brocade device, the binding database is the ARP table, which supports DAI, DHCP snooping, and IP
Source Guard. To inspect an ARP request packet, DAI checks the source IP and source MAC
address against the ARP table. For an ARP reply packet, DAI checks the source IP, source MAC,
destination IP, and destination MAC addresses. DAI forwards the valid packets and discards those
with invalid IP-to-MAC address bindings.
When ARP packets reach a trusted port, DAI lets them through, as shown in
.
FIGURE 193
Dynamic ARP inspection at work
ARP entries
DAI uses the IP/MAC mappings in the ARP table to validate ARP packets received on untrusted
ports. ARP entries in the ARP table derive from the following:
•
ARP Inspection – statically configured VRF+VLAN +IP/MAC mapping.
•
ARP – statically configured VRF+IP/MAC/port mapping.
•
DHCP-Snooping ARP – information collected from snooping DHCP packets when DHCP
snooping is enabled on VLANs.
Configuring DAI
NOTE
An index number is no longer needed to configure static ARP entries.
Follow the steps listed below to configure DAI.
1. Configure inspection of ARP entries for hosts on untrusted ports. Enable ARP Inspection on a
VLAN to inspect ARP packets.
2. Configure the trust settings of the VLAN members. ARP packets received on trusted ports
bypass the DAI validation process. ARP packets received on untrusted ports go through the DAI
validation process.
3. Enable DHCP snooping to populate the DHCP snooping IP-to-MAC binding database. Refer to
on page 763 for more information.
The following shows the default settings of ARP Inspection.