Brocade ICX 6650 Security Configuration Guide 53-1002601-01
Valid – the mapping is valid, and the port is resolved. This is always the case for static ARP
DAI is supported on a VLAN without a VE, or on a VE with or without an assigned IP address.
entries.
Pending – for normal dynamic and inspection ARP entries before they are resolved, and the port mapped. Their status changes to valid when they are resolved, and the port mapped.
Refer to also “System reboot and the binding database” on page 285.
Configuration notes and feature limitations for DAI
The following limits and restrictions apply when configuring DAI:
To run Dynamic ARP Inspection, you must first enable support for ACL filtering based on VLAN membership or VE port membership. To do so, enter the following commands at the Global CONFIG Level of the CLI.
Brocade(config)# enable ACL-per-port-per-vlan Brocade(config)# write memory Brocade(config)# exit
Brocade# reload
NOTE
You must save the configuration and reload the software to place the change into effect.
Brocade recommends that you do not enable DAI on a trunk port.
The maximum number of DHCP and static DAI entries depends on the maximum number of ARP table entries allowed on the device. A Brocade ICX 6650 Layer 2 switch can have up to 4096 ARP entries and a Brocade ICX 6650 Layer 3 switch can have up to 64,000 ARP entries. In a Brocade ICX 6650 Layer 3 switch, you can use the system-maxip-arpcommand to change the maximum number of ARP entries for the device.
However, only up to 1024 DHCP entries can be saved to flash.
ACLs are supported on member ports of a VLAN on which DHCP snooping and Dynamic ARP Inspection (DAI) are enabled.
Dynamic ARP inspection
DHCP-Snooping ARP – information collected from snooping DHCP packets when DHCP snooping is enabled on VLANs.
The status of an ARP entry is either pending or valid:

281

Page 301
Image 301
Brocade Communications Systems 6650 manual 281