Specifications
Dynamic ARP Inspection Overview
18-18 DHCP Snooping and Dynamic ARP Inspection
Eligible Interfaces
DynamicARPinspectionisenabledperVLAN,effectivelyenablingDAIonthemembersofthe
VLAN,eitherphysicalportsorLAGs.TrustisspecifiedontheVLANmembers.
DAIcannotbeenabledonport‐basedroutinginterfaces.Itmaybeconnectedto:
•Asinglehostthroughatrustedlink(forexample,
aserver)
•Ifmultiplehostsneedtoconnected,theremustbeaswitchbetweentherouterandthehosts,
withDAIenabledonthatswitch
Interaction with Other Functions
•DAIreliesontheDHCPsnoopingapplicationtoverifythata{IPaddress,MACaddress,
VLAN,interface}tupleisvalid.
•DAIregisterswithdot1qtoreceivenotificationofVLANmembershipchangesfortheVLANs
whereDAIisenabled.
•DAItellsthedriverabouteachuntrustedinterface(physicalportorLAG)where
DAIis
enabledsothatthehardwarewillint erceptARPpacketsand sendthemtotheCPU.
Basic Configuration
Thefollowingbasicconfigurationdoesnotchange thedefaultratelimitingparameters.
Procedure 18-2 Basic Dynamic ARP Inspection Configuration
Step Task Command(s)
1. Configure DHCP snooping. Refer to Procedure 18-1 on page 18-3.
2. Enable ARP inspection on the VLANs where
clients are connected, and optionally, enable
logging of invalid ARP packets.
set arpinspection vlan vlan-range
[logging]
3. Determine which ports are not security threats
and configure them as DAI trusted ports.
set arpinspection trust port
port-string enable
4. If desired, configure optional validation
parameters.
set arpinspection validate
{[src-mac] [dst-mac] [ip]}
5. If desired, configure static mappings for DAI by
creating ARP ACLs:
• Create the ARP ACL
• Apply the ACL to a VLAN
set arpinspection filter name permit
ip host sender-ipaddr mac host
sender-macaddr
set arpinspection filter name vlan
vlan-range [static]