If it identifies a bad (spoofed) ARP packet it will simply drop the packet before it is forwarded or added to the CAM table.
DAI is enabled on a per VLAN basis with:
ip arp inspection vlan 100and then to verify the configuration:
end
show ip arp inspection vlan 100We can also set a limit of maximum arp requests received per second - by default this is usually 10 - however on busy networks I usually like to increase this to 100 - however this will vary greatly of course dependent on your network!
int range gi0/1-48
ip arp inspection limit rate 100
By default all ports are untrusted but if for example we had a trunk to another switch that was hooked up to a load of servers with statically assigned IP's we might wish to trust a port:
int g0/15Now since it is reliant on the DHCP snooping binding database any static IP's will be absent and when DAI is enabled you will see something like the following in the logs:
ip arp inspection trust
*Mar 1 00:44:05.783: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Gi0/4, vlan 100.([0001.807c.1234/10.111.111.111/54ee.7534.1234/10.111.111.1/00:44:05 UTC Mon Mar 1 1993])
So in order to exclude these hosts configured with static IP's (for example routers, servers, printers etc.) we can create an arp ACL inside a DAI filter:
arp access-list mydaifilterand then apply the filter:
permit ip host 10.0.0.1 mac host 54ee.7534.1234
exit
ip arp inspection filter mydaifilter vlan 100and to verify the entry we can use:
show ip arp inspection vlan 100Finally we can check up and see whether any ARP packets are being dropped by defining a buffer size and turning on the logging with:
conf tand then review the log with something like:
ip arp inspection log-buffer entries 512
end
show ip arp inspection log
No comments:
Post a Comment