![Brocade Communications Systems ICX 7250 series Configuration Manual Download Page 33](http://html1.mh-extra.com/html/brocade-communications-systems/icx-7250-series/icx-7250-series_configuration-manual_2817203033.webp)
NOTE
You must save the configuration and reload the software to place the change into
effect.
•
There is a limit on the number of static ARP inspection entries that can be configured. This is determined by the system-max
parameter
max-static-inspect-arp-entries
. The maximum value is 1024 and the default value is 512. Changing the system
max values requires a system reload.
•
ACLs are supported on member ports of a VLAN on which DHCP snooping and Dynamic ARP Inspection (DAI) are enabled.
•
DAI is supported on a VLAN without a VE, or on a VE with or without an assigned IP address.
•
DAI is supported on LAG ports.
Dynamic ARP Inspection configuration
Configuring DAI consists of the following steps.
1. Configure inspection ARP entries for hosts on untrusted ports. Refer to
Configuring an inspection ARP entry
2. Enable DAI on a VLAN to inspect ARP packets. Refer to
on page 33.
3. Configure the trust settings of the VLAN members. ARP packets received on trusted ports bypass the DAI validation process.
ARP packets received on untrusted ports go through the DAI validation process. Refer to
4. Enable DHCP snooping to populate the DHCP snooping IP-to-MAC address binding database.
Dynamic ARP inspection is disabled by default and the trust setting for ports is by default untrusted.
Configuring an inspection ARP entry
Static ARP and static inspection ARP entries must be configured for hosts on untrusted ports. Otherwise, when DAI checks ARP packets
from these hosts against entries in the ARP table, it will not find any entries for them, and the Brocade device will not allow and learn ARP
from an untrusted host.
To configure an inspection ARP entry, enter a command such as the following.
device(config)# arp 10.20.20.12 0000.0002.0003 inspection
This command defines an inspection ARP entry in the static ARP table, mapping a device IP address 10.20.20.12 with its MAC address
0000.0002.0003. The ARP entry will be moved to the ARP table once the DAI receives a valid ARP packet.
Dynamic ARP Inspection must be enabled to use static ARP inspection entries.
Syntax:
[no] arp
ip-addr
mac-addr
inspection
The
ip-addr mac-addr
parameter specifies a device IP address and MAC address pairing.
Enabling DAI on a VLAN
DAI is disabled by default. To enable DAI on an existing VLAN, enter the following command.
device(config)# ip arp inspection vlan 2
The command enables DAI on VLAN 2. ARP packets from untrusted ports in VLAN 2 will undergo DAI inspection.
Syntax:
[no] ip arp
inspection
vlan
vlan-number
The
vlan-number
variable specifies the ID of a configured VLAN.
Dynamic ARP inspection
Brocade FastIron Layer 3 Routing Configuration Guide
53-1003903-04
33
Summary of Contents for ICX 7250 series
Page 2: ...Brocade FastIron Layer 3 Routing Configuration Guide 2 53 1003903 04...
Page 16: ...Brocade FastIron Layer 3 Routing Configuration Guide 16 53 1003903 04...
Page 20: ...Brocade FastIron Layer 3 Routing Configuration Guide 20 53 1003903 04...
Page 36: ...Brocade FastIron Layer 3 Routing Configuration Guide 36 53 1003903 04...
Page 124: ...Brocade FastIron Layer 3 Routing Configuration Guide 124 53 1003903 04...
Page 174: ...Brocade FastIron Layer 3 Routing Configuration Guide 174 53 1003903 04...
Page 188: ...Brocade FastIron Layer 3 Routing Configuration Guide 188 53 1003903 04...
Page 202: ...Brocade FastIron Layer 3 Routing Configuration Guide 202 53 1003903 04...
Page 470: ...Brocade FastIron Layer 3 Routing Configuration Guide 470 53 1003903 04...