Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
41424344454647484950
47
OL-11615-01
Similarly to DHCP snooping, DAI associates a trust state with each interface on the system. Packets
arriving on trusted interfaces bypass all DAI validation checks, while those arriving on untrusted
interfaces go through the DAI validation process. In a typical network configuration for DAI, all ports
connected to host ports are configured as untrusted, while all ports connected to switches are configured
as trusted. With this configuration, all ARP packets entering the network from a given switch will have
passed the security check. By default, DAI is disabled on all VLANs, and all ports are configured as
untrusted.
As previously mentioned, DAI populates its database of valid MAC address to IP address bindings
through DHCP snooping. It also validates ARP packets against statically configured ARP ACLs. It is
important to note that ARP ACLs have precedence over entries in the DHCP snooping database. ARP
packets are first compared to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, then
the packet will be denied even if a valid binding exists in the database populated by DHCP snooping.
Cisco IOS and Catalyst OS implement DAI in a similar manner. However, there are some functional
differences that should be noted, and which are covered in the following sections.
Dynamic ARP Inspection (DAI) in Catalyst OS (Catalyst 6500)
DAI provides an additional validation function capable of identifying and discarding ARP packets
containing MAC addresses in their bodies that are not consistent with the Ethernet headers. In Catalyst
OS this validation is based on the source MAC addresses. That is, DIA drops ARP packets whose source
Ethernet MAC addresses (in the Ethernet headers) are not the same as the source MAC addresses in the
ARP headers. In Cisco IOS this validation can be based on both source and destination MAC addresses.
DAI implements a rate-limit function that controls the number of incoming ARP packets. In Catalyst OS,
this function can be configured globally and/or on a per port basis:
Global ARP inspection rate limit—By default, the global ARP inspection rate limit is set to 500 pps.
Packets exceeding the limit are discarded. The limit can be configured with a minimum value of 1,
and a maximum value of 1000 pps. For Supervisor Engine 720, the minimum value that is enforced
by the hardware is 10 pps (values between 1- 9 are set to 10). The global ARP inspection rate limit
can be disabled by setting the limit value to 0.
Per-port ARP inspection rate limit—The pert-port rate limit uses a drop threshold and a shutdown
threshold. If the rate exceeds the drop threshold, the excess packets are dropped (and counted toward
the shutdown threshold limit). If the rate exceeds the shutdown threshold, the port that is specified
by mod/port is shut down. By default, both threshold values are 0 (no per-port rate limiting is
applied). The maximum value for both thresholds is 1000 pps.
To configure Dynamic ARP Inspection on switches running Catalyst OS, perform the following steps:
Step 1 Enable dynamic ARP inspection on a per-VLAN basis using the set security acl arp-inspection
dynamic command:
Console> (enable) set security acl arp-inspection dynamic enable {
vlan-list
}
By default, dynamic ARP inspection is disabled on all VLANs.
Step 2 Configure the port trust state using the set port arp-inspection trust enable command:
Console> (enable) set port arp-inspection portlist trust {enable | disable}
To make the interfaces untrusted, use the set port arp-inspection trust disable command. By default,
all interfaces are untrusted.