Table of Contents
Advertisement
DAI uses the DHCP snooping bindings database to verify that the sender MAC address and the
source IP address are a valid pair in the database. ARP packets whose sender MAC address and
sender IP address do not match an entry in the database are dropped.
If logging is enabled, invalid ARP packets are also logged.
Example
This example enables DAI on VLANs 2 through 5 and also enables logging of invalid ARP packets
on those VLANs.
C2(su)->set arpinspection vlan 2-5 logging
set arpinspection trust
Use this command to enable or disable a port as a dynamic ARP inspection trusted port.
Syntax
set arpinspection trust port port-string {enable | disable}
Parameters
port‐string
enable | disable
Defaults
By default, all physical ports and LAGs are untrusted.
Mode
Switch command, read‐write.
Usage
Individual interfaces are configured as trusted or untrusted. The trust configuration for DAI is
independent of the trust configuration for DHCP snooping. A trusted port is a port the network
administrator does not consider to be a security threat. An untrusted port is one which could
potentially be used to launch a network attack.
DAI considers all physical ports and LAGs untrusted by default. Packets arriving on trusted
interfaces bypass all DAI validation checks.
Example
This example enables port ge.1.1 as trusted for DAI.
C2(su)->set arpinspection trust port ge.1.1 enable
Specifies the port or ports to be enabled or disabled as DAI trusted
ports. The ports can be physical ports or LAGs that are members of a
VLAN.
Enables or disables the specified ports as trusted for DAI.
set arpinspection trust
SecureStack C2 Configuration Guide 17-21
Advertisement
Table of Contents
