beautypg.com

Configuring dai, Configuring an inspection arp entry, Enabling dai on a vlan – Brocade BigIron RX Series Configuration Guide User Manual

Page 1164

background image

1086

BigIron RX Series Configuration Guide

53-1002484-04

Dynamic ARP inspection

36

Configuring DAI

Configuring DAI consists of the following steps.

1. Configure inspection ARP entries for hosts on untrusted ports. Refer to

“Configuring an

inspection ARP entry”

on page 1086.

2. Enable DAI on a VLAN to inspect ARP packets. Refer to

“Enabling DAI on a VLAN”

on

page 1086.

3. Configure the trust settings of the VLAN members. ARP packets received on trusted ports

bypass the DAI validation process. ARP packets received on untrusted ports go through the DAI
validation process. Refer to

“Enabling trust on a port”

on page 1087.

4. Enable DHCP snooping to populate the DHCP snooping IP-to-MAC binding database.

The following shows the default settings of DAI.

Configuring an inspection ARP entry

Static ARP and static inspection ARP entries need to be configured for hosts on untrusted ports.
Otherwise, when DAI checks ARP packets from these hosts against entries in the ARP table, it will
not find any entries for them, and the Brocade device will not allow and learn ARP from an
untrusted host.

When the inspection ARP entry is resolved with the correct IP/MAC mapping, its status changes
from pending to valid.

To configure an inspection ARP entry, enter commands such as the following.

BigIron RX(config)#arp 20.20.20.12 0001.0002.0003 inspection

The commands defines an inspection ARP entry, mapping a device’s IP address 20.20.20.12 with
its MAC address 0001.0002.0003.

Syntax: [no] arp <index> <ip-addr> <mac-addr> inspection

The index can be from 1 up to the maximum number of static entries allowed.

The <ip-addr> <mac-addr> parameter specifies a device’s IP address and MAC address pairing.

Enabling DAI on a VLAN

DAI is disabled by default. To enable DAI on an existing VLAN, enter the following command.

BigIron RX(config)#ip arp inspection vlan 2

The command enables DAI on VLAN 2. ARP packets from untrusted ports in VLAN 2 will undergo
DAI inspection.

Syntax: [no] ip arp inspection vlan <vlan-number>

The <vlan-number> variable specifies the ID of a configured VLAN.

Feature

Default

Dynamic ARP Inspection

Disabled

Trust setting for ports

Untrusted

See also other documents in the category Brocade Computer Accessories: