cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1280
Views
0
Helpful
4
Replies

Dynamic arp inspection and SVI

RyanJohnstone
Level 1
Level 1

For DAI, if I have all clients in a VLAN and have an SVI acting as the Gateway for the VLAN, in respect to DIA is the SVI classed as a trusted interface?  From tests it looks like it is trusted but can someone confirm please?  if not, then I guess I could use an ARP ACL but if I don't need to then I would rather not.

 

e.g.

 

int vlan 10

 ip address x.x.x.x

 

int f1/0/1

 switchport access vlan 10

 

ip arp inspection vlan 10

 

so...

int f1/0/1 = untrusted

int vlan 10 = ??

 

Thanks

 

Ryan

4 Replies 4

Cisco Freak
Level 4
Level 4
Hello Ryan,


You can either map the switchport as a DAI trusted port or you can add a ARP ACL to white-list the address. Otherwise, if you have DHCP snooping configured in the switch and hosts are receiving the IP address from DHCP, then you don't have to do anything. ARP inspection will check the DHCP snooping table to permit the ARP traffic.


CF

Hi CF, thanks for response.  cant map switchport as a DAI Trusted port as its a L3 port, so not technically a switchport.  I have an ARP ACL I use for the printers, I can add an ACE to use for the SVI as well but I wanted to know if this was actually needed...there is no harm in having it I would have thought but I was curious to see if it was actually needed.

 

i think i will lab it up to confirm...

 

Thanks again

 

Ryan

 

PaulSmith
Level 1
Level 1

You would need both the following commands on your up-link port for successful Snooping/DAI/IPSG.

 

interface TenGigabitEthernet1/0/1
 ip arp inspection trust
 ip dhcp snooping trust

Hi Paul, thanks for response.

 

i have those commands on the physical uplinks, its the SVI (Switched Virtual Interface) i was querying. 

 

https://learningnetwork.cisco.com/thread/62241

 

This is technically a L3 interface so i cannot add the commands to this interface.  i am just curious as this is technically part of the switch itself whether it would be implicitly trusted from a DAI perspective...i suspect it will be.

 

I think i will lab up and do some testing as cant find any information about this

 

Thanks again

 

Ryan

 

 

 

 

 

Review Cisco Networking for a $25 gift card