Chapter 38
Configuring Dynamic ARP Inspection
Enabling DAI Error-Disabled Recovery
To enable DAI error disabled recovery, perform this task:
Command
Step 1
Router# configure terminal
Step 2
Router(config)# errdisable recovery cause
arp-inspection
Router(config-if)# no errdisable recovery cause
arp-inspection
Step 3
Router(config)# do show errdisable recovery |
include Reason|---|arp-
This example shows how to enable DAI error disabled recovery:
Router# configure terminal
Enter configuration commands, one per line.
Router(config)# errdisable recovery cause arp-inspection
Router(config)# do show errdisable recovery | include Reason|---|arp-
ErrDisable Reason
-----------------
arp-inspection
Enabling Additional Validation
DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can
enable additional validation on the destination MAC address, the sender and target IP addresses, and the
source MAC address.
To enable additional validation, perform this task:
Command
Step 1
Router# configure terminal
Step 2
Router(config)# ip arp inspection validate
{[dst-mac] [ip] [src-mac]}
Router(config)# no ip arp inspection validate
{[dst-mac] [ip] [src-mac]}
Step 3
Router(config)# do show ip arp inspection |
include abled$
When enabling additional validation, note the following information:
•
•
OL-4266-08
Timer Status
--------------
Enabled
You must specify at least one of the keywords.
Each ip arp inspection validate command overrides the configuration from any previous
commands. If an ip arp inspection validate command enables src and dst mac validations, and a
second ip arp inspection validate command enables IP validation only, the src and dst mac
validations are disabled as a result of the second command.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Purpose
Enters global configuration mode.
(Optional) Enables DAI error disabled recovery (disabled
by default).
Disables DAI error disabled recovery.
Verifies the configuration.
End with CNTL/Z.
Purpose
Enters global configuration mode.
(Optional) Enables additional validation (default is
none).
Disables additional validation.
Verifies the configuration.
Configuring DAI
38-11