Owner`s manual

ManualsBrandsDell ManualsComputer equipmentPowerEdge M IO Aggregator

101

102

103

104

105

106

107

108

109

110

98 | Dynamic Host Configuration Protocol (DHCP)

www.dell.com | support.dell.com

• denial of service—an attacker can send fraudulent ARP messages to a client to associate a false MAC

address with the gateway address, which blackholes all internet-bound packets from the client.

To view the number of entries in the ARP database, use the

show arp inspection database command

(Figure 6-9).

Figure 6-9. Command example: show arp inspection database

Note: Dynamic ARP inspection (DAI) uses entries in the L2SysFlow CAM region, a sub-region of

SystemFlow. One CAM entry is required for every DAI-enabled VLAN. You can enable DAI on up to 16

VLANs on a system. You can configure 10 to 16 DAI-enabled VLANs by allocating more CAM space to

the L2SysFlow region before enabling DAI.

Note: SystemFlow has 102 entries by default. This region is comprised of two sub-regions: L2Protocol

and L2SystemFlow. L2Protocol has 87 entries; L2SystemFlow has 15 entries. Six L2SystemFlow entries

are used by Layer 2 protocols, leaving 9 for DAI. L2Protocol can have a maximum of 100 entries. This

region must be expanded to capacity before you can increase the size of L2SystemFlow. This is relevant

when you are enabling DAI on VLANs. If, for example, you want to enable DAI on 16 VLANs, you need

seven more entries; in this case, reconfigure the SystemFlow region for 122 entries:

layer-2 eg-acl value fib value frrp value ing-acl value learn value l2pt value qos value system-flow 122

Note: The logic is as follows:

L2Protocol has 87 entries by default and must be expanded to its maximum capacity, 100 entries, before

L2SystemFlow can be increased; therefore 13 more L2Protocol entries are required. L2SystemFlow has

15 entries by default, but only nine are for DAI; to enable DAI on 16 VLANs, seven more entries are

required:

87 L2Protocol + 13 additional L2Protocol + 15 L2SystemFlow + 7 additional L2SystemFlow equals 122.

Step Task Command Syntax Command Mode

1 Enable DHCP snooping.

2 Validate ARP frames against the

DHCP snooping binding table.

arp inspection

INTERFACE VLAN

Note: Dynamic ARP Inspection (DAI) may sometimes filter ARP traffic from valid clients in the DHCP

snooping binding table.

FTOS#show arp inspection database

Protocol Address Age(min) Hardware Address Interface VLAN CPU

----------------------------------------------------------------------------

Internet 10.1.1.251 - 00:00:4d:57:f2:50 Te 0/2 Vl 10 CP

Internet 10.1.1.252 - 00:00:4d:57:e6:f6 Te 0/1 Vl 10 CP

Internet 10.1.1.253 - 00:00:4d:57:f8:e8 Te 0/3 Vl 10 CP

Internet 10.1.1.254 - 00:00:4d:69:e8:f2 Te 0/50 Vl 10 CP

FTOS#