Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
954
Views
0
Helpful
1
Replies

Dynamic ARP inspection

Go to solution
tedauction
Level 1
Level 1

‎01-07-2018 06:21 PM - edited ‎03-08-2019 01:20 PM

Hello, regarding the feature DAI dynamic ARP inspection (part of DHCP snooping).

Will this feature drop traffic that does not a DHCP snooping binding database table entry ?

For instance if you have a statically configured computer that has not generated a DCHP table entry, will DAI drop or allow traffic from this machine ?

In other words, does DAI only care about ARP 'conflicts' with the DHCP table ?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎01-07-2018 11:49 PM - edited ‎01-07-2018 11:53 PM

For a system on an untrusted port, you need a binding. This can come from the DHCP-snooping database (preferred) or from a static entry. If possible configure your "static" system with DHCP and a reservation on the DHCP-server.

For the static approach, you configure an arp-acl and apply that to DAI:

arp access-list DAI-VL10
permit ip host 10.10.10.1 mac host aaaa:bbbb:cccc
!
ip arp filter inspection filter DAI-VL10 vlan 10

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Karsten Iwen
VIP
VIP

‎01-07-2018 11:49 PM - edited ‎01-07-2018 11:53 PM

For a system on an untrusted port, you need a binding. This can come from the DHCP-snooping database (preferred) or from a static entry. If possible configure your "static" system with DHCP and a reservation on the DHCP-server.

For the static approach, you configure an arp-acl and apply that to DAI:

arp access-list DAI-VL10
permit ip host 10.10.10.1 mac host aaaa:bbbb:cccc
!
ip arp filter inspection filter DAI-VL10 vlan 10
0 Helpful
Customers Also Viewed These Support Documents