Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
0
Helpful
2
Replies

Static DAI on Nexus 5k?

rsjordan00
Level 1
Level 1

‎12-28-2012 02:11 PM - edited ‎03-07-2019 10:49 AM

We rely on static DAI with arp access lists to control the IP to MAC bindings on our public VLANs. This is our way of preventing a bad server admin or compromised server from "claiming" an IP that doesn't belong to it.

On our IOS access switches, we used something like this:

ip arp inspection vlan 100-102

ip arp inspection filter vlan100arp vlan  100 static

ip arp inspection filter vlan101arp vlan  101 static

ip arp inspection filter vlan102arp vlan  102 static

arp access-list vlan100arp

permit ip host 1.2.3.4 mac host aaaa.bbbb.cccc

arp access-list vlan101arp

permit ip host 2.3.4.5 mac host bbbb.cccc.dddd

arp access-list vlan102arp

permit ip host 3.4.5.6 mac host cccc.dddd.eeee

We're now staging a new access layer built on Nexus 5k and 2k fabric extenders. We are running 5.2(1)N1(3) on the 5ks. I enabled the DHCP feature and was able to run "ip arp inspection vlan 100-102" but it won't accept "ip arp inspection filter" or "arp access-list" commands. It almost looks like I'm missing a feature because the commands aren't even available. I checked the docs and found the following in command reference for arp access-list:

"As of Cisco NX-OS Release 5.1(3)N1(1), an ARP access list is supported only for Control Plane Policing (CoPP). The deny command is ignored for CoPP ARP ACLs."

So based on this, it doesn't look like static DAI on Nexus is possible. Should I be using IP Source Guard instead? We don't do DHCP, so I don't think we would be any less secure running IP Source Guard. It is a bit more management in that we now must do a per interface ACL as opposed to a per VLAN ACL.

Labels:
0 Helpful
2 Replies 2

rsjordan00
Level 1
Level 1

‎01-02-2013 02:40 PM

I opened a TAC case (624322809) and they confirmed that "arp access-list" is no longer supported. They said a bug request has been submitted to update the documentation accordingly.

I guess I'll use IP Source Guard instead. I think it will help more in the long run; I just wanted to avoid using two different features across our two access layers.

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to rsjordan00

‎01-02-2013 04:31 PM

Thanks for the update.  The thing to remember is that the Nexus line of products was originally designed for data centers and it is just a few years old and not all layer-2 and layer-3 functions from IOS have been transferred to Nexus OS.  So, if you are planning to use these switches in the access layer, you would need to research all the functions you are currently using and make sure they are supported in the Nexus line.  It is for example very important to know that none of the Nexus devices support POE at this time.  So, if you are planning to connect any POE capable device to these switch, it is defiantly a show stopper.

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card