Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1279
Views
0
Helpful
4
Replies

Dynamic arp inspection and SVI

RyanJohnstone
Level 1
Level 1

‎11-08-2018 08:02 AM - edited ‎03-08-2019 04:34 PM

For DAI, if I have all clients in a VLAN and have an SVI acting as the Gateway for the VLAN, in respect to DIA is the SVI classed as a trusted interface?  From tests it looks like it is trusted but can someone confirm please?  if not, then I guess I could use an ARP ACL but if I don't need to then I would rather not.

 

e.g.

 

int vlan 10

 ip address x.x.x.x

 

int f1/0/1

 switchport access vlan 10

 

ip arp inspection vlan 10

 

so...

int f1/0/1 = untrusted

int vlan 10 = ??

 

Thanks

 

Ryan

Labels:
0 Helpful
4 Replies 4

Cisco Freak
Level 4
Level 4

‎11-08-2018 11:45 AM

Hello Ryan,


You can either map the switchport as a DAI trusted port or you can add a ARP ACL to white-list the address. Otherwise, if you have DHCP snooping configured in the switch and hosts are receiving the IP address from DHCP, then you don't have to do anything. ARP inspection will check the DHCP snooping table to permit the ARP traffic.


CF
0 Helpful

RyanJohnstone
Level 1
Level 1
In response to Cisco Freak

‎11-12-2018 04:24 AM

Hi CF, thanks for response.  cant map switchport as a DAI Trusted port as its a L3 port, so not technically a switchport.  I have an ARP ACL I use for the printers, I can add an ACE to use for the SVI as well but I wanted to know if this was actually needed...there is no harm in having it I would have thought but I was curious to see if it was actually needed.

 

i think i will lab it up to confirm...

 

Thanks again

 

Ryan

 

0 Helpful

PaulSmith
Level 1
Level 1

‎11-08-2018 06:44 PM

You would need both the following commands on your up-link port for successful Snooping/DAI/IPSG.

 

interface TenGigabitEthernet1/0/1
 ip arp inspection trust
 ip dhcp snooping trust

0 Helpful

RyanJohnstone
Level 1
Level 1
In response to PaulSmith

‎11-12-2018 04:29 AM

Hi Paul, thanks for response.

 

i have those commands on the physical uplinks, its the SVI (Switched Virtual Interface) i was querying. 

 

https://learningnetwork.cisco.com/thread/62241

 

This is technically a L3 interface so i cannot add the commands to this interface.  i am just curious as this is technically part of the switch itself whether it would be implicitly trusted from a DAI perspective...i suspect it will be.

 

I think i will lab up and do some testing as cant find any information about this

 

Thanks again

 

Ryan

 

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card