Dell Force10 MXL Blade Configuration Manual page 185

• denial of service—an attacker can send fraudulent ARP messages to a client to associate a false MAC
address with the gateway address, which blackholes all internet-bound packets from the client.
Note: Dynamic ARP inspection (DAI) uses entries in the L2SysFlow CAM region, a sub-region of
SystemFlow. One CAM entry is required for every DAI-enabled VLAN. You can enable DAI on up to 16
VLANs on a system. You can configure 10 to 16 DAI-enabled VLANs by allocating more CAM space to
the L2SysFlow region before enabling DAI.
Note: SystemFlow has 102 entries by default. This region is comprised of two sub-regions: L2Protocol
and L2SystemFlow. L2Protocol has 87 entries; L2SystemFlow has 15 entries. Six L2SystemFlow entries
are used by Layer 2 protocols, leaving 9 for DAI. L2Protocol can have a maximum of 100 entries. This
region must be expanded to capacity before you can increase the size of L2SystemFlow. This is relevant
when you are enabling DAI on VLANs. If, for example, you want to enable DAI on 16 VLANs, you need
seven more entries; in this case, reconfigure the SystemFlow region for 122 entries:
layer-2 eg-acl value fib value frrp value ing-acl value learn value l2pt value qos value system-flow 122
Note: The logic is as follows:
L2Protocol has 87 entries by default and must be expanded to its maximum capacity, 100 entries, before
L2SystemFlow can be increased; therefore 13 more L2Protocol entries are required. L2SystemFlow has
15 entries by default, but only nine are for DAI; to enable DAI on 16 VLANs, seven more entries are
required:
87 L2Protocol + 13 additional L2Protocol + 15 L2SystemFlow + 7 additional L2SystemFlow equals 122.
Step Task
1 Enable DHCP snooping.
2 Validate ARP frames against the
DHCP snooping binding table.
Note: Dynamic ARP Inspection (DAI) may sometimes filter ARP traffic from valid clients in the DHCP
snooping binding table.
To view the number of entries in the ARP database, use the
(Figure 9-12).
Figure 9-12. Command example:
FTOS#show arp inspection database
Protocol Address
----------------------------------------------------------------------------
Internet 10.1.1.251
Internet 10.1.1.252
Internet 10.1.1.253
Internet 10.1.1.254
FTOS#
Command Syntax
arp inspection
show arp inspection database
Age(min) Hardware Address
- 00:00:4d:57:f2:50
- 00:00:4d:57:e6:f6
- 00:00:4d:57:f8:e8
- 00:00:4d:69:e8:f2
Command Mode
INTERFACE VLAN
show arp inspection database
Interface VLAN
Te 0/2 Vl 10
Te 0/1 Vl 10
Te 0/3 Vl 10
Te 0/50 Vl 10
Dynamic Host Configuration Protocol (DHCP) | 183
command
CPU
CP
CP
CP
CP