Limits and restrictions, Arp entries – Brocade BigIron RX Series Configuration Guide User Manual

BigIron RX Series Configuration Guide

1085

53-1002484-04

Dynamic ARP inspection

36

FIGURE 143

Dynamic ARP Inspection at work

ARP entries

DAI uses the IP/MAC mappings in the ARP table to validate ARP packets received on untrusted
ports.

ARP entries in the ARP table derive from the following:

•

Dynamic ARP – normal ARP learned from trusted ports.

•

Static ARP – statically configured IP/MAC/port mapping.

•

Inspection ARP – statically configured IP/MAC mapping, where the port is initially unspecified.
The actual physical port mapping will be resolved and updated from validated ARP packets.
Refer to

“Configuring an inspection ARP entry”

on page 1086.

•

DHCP-Snooping ARP – information collected from snooping DHCP packets when DHCP
snooping is enabled on VLANs.

The status of an ARP entry is either pending or valid:

•

Valid – the mapping is valid, and the port is resolved. This is always the case for static ARP
entries.

•

Pending – for normal dynamic, inspection ARP, and DHCP-Snooping ARP entries before they
are resolved, and the port mapped. Their status changes to valid when they are resolved, and
the port mapped.

Refer to

“System reboot and the binding database”

on page 1089.

Limits and restrictions

The following limits and restrictions apply when configuring DAI:

•

The maximum number of DHCP and static DAI entries depends on the maximum number of
ARP table entries allowed on the device. The BigIron RX Series switch can have up to 64,000
ARP entries. In a BigIron RX switch, you can use the system-max ip-arp command to change the
maximum number of ARP entries for the device.

•

The current implementation works on routing and virtual routing interface ports, and does not
support Layer 2 switching-only ports in VLANs without an assigned IP address on the router.

ARP

packet

ARP

packet

Brocade Device

Trusted

Untrusted

DAI