Dynamic ARP Inspection Overview

Basic Configuration

The following basic configuration does not change the default rate limiting parameters.

Procedure 17-2 Basic Dynamic ARP Inspection Configuration

Step

Task

Command(s)

 

 

 

1.

Configure DHCP snooping.

Refer to Procedure 17-1on page 17-3.

 

 

 

2.

Enable ARP inspection on the VLANs where

set arpinspection vlan vlan-range

 

clients are connected, and optionally, enable

[logging]

 

logging of invalid ARP packets.

 

 

 

 

3.

Determine which ports are not security threats

set arpinspection trust port

 

and configure them as DAI trusted ports.

port-string enable

4.

If desired, configure optional validation

set arpinspection validate

 

parameters.

{[src-mac][dst-mac] [ip]}

5.

If desired, configure static mappings for DAI by

set arpinspection filter name permit

 

creating ARP ACLs:

ip host sender-ipaddrmac host

 

• Create the ARP ACL

sender-macaddr

 

set arpinspection filter name vlan

 

• Apply the ACL to a VLAN

 

 

vlan-range [static]

17-18 DHCP Snooping and Dynamic ARP Inspection

Page 528
Image 528
Enterasys Networks 9034313-07 manual Procedure 17-2 Basic Dynamic ARP Inspection Configuration, Step Task Commands