Configuration Examples For Dai; Two Devices Support Dai; Configuring Device A - Cisco Nexus 9000 Series Configuration Manual

Configuration Examples for DAI

Configuration Examples for DAI

Two Devices Support DAI

These procedures show how to configure DAI when two devices support DAI.
Figure 17: Two Devices Supporting DAI
The following figure shows the network configuration for this example. Host 1 is connected to device A, and
Host 2 is connected to device B. Both devices are running DAI on VLAN 1 where the hosts are located. A
DHCP server is connected to device A. Both hosts acquire their IP addresses from the same DHCP server.
Device A has the bindings for Host 1 and Host 2, and device B has the binding for Host 2. Device A Ethernet
interface 2/3 is connected to device B Ethernet interface 1/4.
DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings
in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets
that have dynamically-assigned IP addresses.
• This configuration does not work if the DHCP server is moved from device A to a different location.
• To ensure that this configuration does not compromise security, configure Ethernet interface 2/3 on

Configuring Device A

To enable DAI and configure Ethernet interface 2/3 on device A as trusted, follow these steps:
Step 1 While logged into device A, verify the connection between device A and device B.
switchA# show cdp neighbors
Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge
Device ID
switchB
switchA#
Step 2 Enable DAI on VLAN 1 and verify the configuration.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
400
device A and Ethernet interface 1/4 on device B as trusted.
S - Switch, H - Host, I - IGMP, r - Repeater,
V - VoIP-Phone, D - Remotely-Managed-Device,
s - Supports-STP-Dispute
Local Intrfce
Ethernet2/3
Hldtme Capability Platform
177 R S I WS-C2960-24TC Ethernet1/4
Configuring Dynamic ARP Inspection
Port ID