Guidelines And Limitations For Dai; Default Settings For Dai - Cisco Nexus 9000 Series Configuration Manual
Nx-os security configuration guide, release 9.x
Hide thumbs
Also See for Nexus 9000 Series:
- Configuration manual (276 pages) ,
- Troubleshooting manual (126 pages) ,
- Quick start configuration manual (6 pages)
Table of Contents
Advertisement
Configuring Dynamic ARP Inspection
• You must configure the ACL TCAM region size for DAI using the hardware access-list tcam region
Guidelines and Limitations for DAI
DAI has the following configuration guidelines and limitations:
• DAI is an ingress security feature; it does not perform any egress checking.
• DAI is not effective for hosts connected to devices that do not support DAI or that do not have this feature
• When you use the feature dhcp command to enable the DHCP feature, there is a delay of approximately
• DAI is supported on access ports, trunk ports, and port-channel ports.
• The DAI trust configuration of a port channel determines the trust state of all physical ports that you
• When you remove a physical port from a port channel, the physical port does not retain the DAI trust
• When you change the trust state on the port channel, the device onfigures a new trust state on all the
• If you want DAI to use static IP-MAC address bindings to determine if ARP packets are valid, make
• If you want DAI to use dynamic IP-MAC address bindings to determine if ARP packets are valid, make
• ARP ACLs are not supported.
Default Settings for DAI
This table lists the default settings for DAI parameters.
Table 33: Default DAI Parameters
Parameters
DAI
arp-ether command. The DAI configuration will not be accepted unless the arp-ether region is effective.
See
Configuring ACL TCAM Region Sizes, on page
enabled. Because man-in-the-middle attacks are limited to a single Layer 2 broadcast domain, you should
separate the domain with DAI from domains without DAI. This separation secures the ARP caches of
hosts in the domain with DAI.
30 seconds before the I/O modules receive the DHCP or DAI configuration. This delay occurs regardless
of the method that you use to change from a configuration with the DHCP feature disabled to a
configuration with the DHCP feature enabled. For example, if you use the rollback feature to revert to
a configuration that enables the DHCP feature, the I/O modules receive the DHCP and DAI configuration
approximately 30 seconds after you complete the rollback.
assign to the port channel. For example, if you have configured a physical port as a trusted interface and
then you add that physical port to a port channel that is an untrusted interface, the physical port becomes
untrusted.
state configuration of the port channel.
physical ports that comprise the channel.
sure that you have configured the static IP-MAC address bindings.
sure that DHCP snooping is enabled.
Default
Disabled on all VLANs.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Guidelines and Limitations for DAI
240.
393
- Quick Links:
- Radius and Tacacs+ Security Protocols
Hide quick links:
Advertisement
Table of Contents
