Table of Contents
Advertisement
Logging Invalid Packets
By default, DAI writes a log message to the normal buffered log for each invalid ARP packet it
drops. You can configure DAI to not log invalid packets for specific VLANs.
Packet Forwarding
DAI forwards valid ARP packets whose destination MAC address is not local. The ingress VLAN
could be a switching or routing VLAN. ARP requests are flooded in the VLAN. ARP responses are
unicast toward their destination. DAI queries the MAC address table to determine the outgoing
port. If the destination MAC address is local, DAI gives valid ARP packets to the ARP application.
Rate Limiting
To protect the switch from DHCP attacks when DAI is enabled, the DAI application enforces a rate
limit for ARP packets received on untrusted interfaces. DAI monitors the receive rate on each
interface separately. If the receive rate exceeds a configurable limit, DAI error disables the
interface, which effectively brings down the interface. You can use the set port enable command
to reenable the port.
You can configure both the rate and the burst interval. The default rate is 15 pps on each untrusted
interface with a range of 0 to 100 pps. The default burst interval is 1 second with a range to 1 to 15
seconds.. The rate limit cannot be set on trusted interfaces since ARP packets received on trusted
interfaces do not come to the CPU.
Eligible Interfaces
Dynamic ARP inspection is enabled per VLAN, effectively enabling DAI on the members of the
VLAN, either physical ports or LAGs. Trust is specified on the VLAN members.
DAI cannot be enabled on port‐based routing interfaces. It may be connected to:
•
A single host through a trusted link (for example, a server)
•
If multiple hosts need to connected, there must be a switch between the router and the hosts,
with DAI enabled on that switch
Interaction with Other Functions
•
DAI relies on the DHCP snooping application to verify that a {IP address, MAC address,
VLAN, interface} tuple is valid.
•
DAI registers with dot1q to receive notification of VLAN membership changes for the VLANs
where DAI is enabled.
•
DAI tells the driver about each untrusted interface (physical port or LAG) where DAI is
enabled so that the hardware will intercept ARP packets and send them to the CPU.
Dynamic ARP Inspection Overview
SecureStack C3 Configuration Guide 17-17
- Quick Links:
- Set Ip Address
Hide quick links:
Advertisement
Table of Contents
