DAI - Dynamic ARP Inspection

(config)#ip arp inspection vlan 2 <--- Inspect ARP within the VLAN 2

You can create a ARP Access List and map the IP to MAC, and apply it to DAI:
 (config)#arp access-list ARP_ACL_20
 (config-arp-nacl)#permit ip host 20.1.1.2 mac host 0000.1111.1111
 (config-arp-nacl)#permit ip host 20.1.1.3 mac host 0000.3333.3333
And now APPLY:
 (config)#ip arp inspection filter ARP_ACL_20 vlan 2

 #show ip arp inspection

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
    2     Enabled          Active      ARP_ACL_20         No

 Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
    2     Deny             Deny              Off

 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
    2              0              0              0              0

The switch CPU performs dynamic ARP inspection validation checks; therefore,
the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack.
(config-if)#ip arp inspection limit rate 5 <--- DEFAULT IS 15 PPS (packets per second)

#show ip arp inspection interfaces

 Interface        Trust State     Rate (pps)    Burst Interval
 ---------------  -----------     ----------    --------------
 Gi3/0/1          Untrusted                5                 1 <--- THE CHANGED ONE
 Gi3/0/2          Untrusted               15                 1 <--- 15 pps IS THE DEFAULT VALUE

To monitor the DROPPED packets due to DAI:
(config)#ip arp inspection log-buffer logs 0 interval 5 <--- LOG 0 - NO SYSTEM MESSAGE GENERATED

Check the log for details:
#show ip arp inspection log
Total Log Buffer Size : 32
Syslog rate : 0 entries per 5 seconds.

ACE Load Balancer SSL Certificate Part I, Generate the CSR


ACE Load Balancer SSL Certificate Part I, Generate the CSR (Certificate Signing Request)

You have more than one Real Servers, and its much more practical to install an SSL certificate once, on the ACE Load Balancer, then to install it on each and any of the Servers within the Balanced Service.


The CSR is needed for generate or order a new certificate. New certificates are generated by Certificates Authorities (CA) using the CSR as a seed for the certificate generation.

In order to terminate the SSL certificate on the Load Balancer, a few steps must be performed.


Step 1 Define and Configure the Parameters

First thing we need to do is to generate the CSR based on the RSA key and a set of parameters that we need to define and configure on the ACE Load Balancer in the Global Configuration mode:

  (config)# crypto csr-params CSR_CISQUEROS
  (config-csr-params)# country SP
  (config-csr-params)# state MA
  (config-csr-params)# locality MADRID
  (config-csr-params)# organization-name CISQUEROS TECHNOLOGY
  (config-csr-params)# organization-unit NETWORKS
  (config-csr-params)# common-name prevol.cisqueros.blogspot.com
  (config-csr-params)# email cisqueros@blogspot.com


Step 2 Generate the RSA key (2048 in this example)


LB_ACTIVE# crypto generate key 2048 CISQUEROSRSAKEY.PEM
LB_ACTIVE# show crypto files
Filename                                 File  File    Expor      Key/
                                         Size  Type    table      Cert
-----------------------------------------------------------------------
… … …
CISQUEROSRSAKEY.PEM                    1675  PEM     Yes         KEY
… … …
T1-LBA-01 # show crypto key CISQUEROSRSAKEY.PEM
1024 bit RSA keypair found in CISQUEROSRSAKEY.PEM
Modulus:
9b:d1:06:75:ad:54:8b:81:e5:72:56:58:f9:fc:79:bd:07:51:c2:8b:52:01:bf:8e:c9:8b:20:61:30:7a:4b:62:f7:c3:c3:04:37:b8:46:3e:68:af:21:55:fa:82:e6:a7:58:f6:b0:2b:a2:7e:ac:59:3c:7c:2f:a8:a1:f3:3e:f5:92:9f:56:40:04:cc:ce:4c:33:1d:04:69:51:b6:a5:4a:f7:5a:47:a7:b9:3d:8c:81:
aa:09:83:6f:58:3b:f9:08:f8:33:7c:10:bf:b5:16:61:cc:81:18:4c:a1:39:fe:ac:21:45:4c:20:02:44:44:df:08:68:33:af:0c:99:1b:8d:


Step 3 Generate the CSR Key

CSR is generated from the key and the CSR parameter map, "crypto generate csr" generates the PKCS10 CSR in PEM format and outputs the CSR to the screen
LB_ACTIVE # crypto generate csr CSR_CISQUEROS CISQUEROSRSAKEY.PEM
-----BEGIN CERTIFICATE REQUEST-----
MIIC/DCCAeQCAQAwgbYxCzAJBgNVBAYTAklUMQswCQYDVQQIEwJNSTEPMA0GA1UE
BxMGTUlMQU5PMSQwIgYDVQQKExtHSUUgQVhBIFRFQ0hOT0xPR1kgU0VSVklDRVMx
GDAWBgNVBAsTD1NFUlZJQ0UgQ09OVFJPTDEdMBsGA1UEAxMUcHJldm9sLmF4YS1p
dGFsaWEuaXQxKjAoBgkqhkiG9w0BCQEWG2VtYW51ZWxlLmNhbnR1QGF4YS10ZWNo
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALF38eazErvgTOl7
hP3sAboRGvXzee6+4aTpmC+ZTjeboLkfrehfZfYdEyhgBdu6trM8vxiL6Urzlgj4
RGdUlAfUgHwaXmTOO3QgqsgvdRpyk14lYecN2DytgP1ibq9w3h5MyOP+CfI6Huhv
DyQBILJlSepnJUFOhEOR2YRGdW0HTGgZWCykaUQb3GZSLGHMN5jAzPfvX1WTZNxM
PDQOYsGZ45MssciQp7pl8sXX1xBCvNNuJx1T28LTjA0+ikuFjKyDmfMXpYB8n4oO
76KsdII033zfNZBZQLcTE4rk5nuHfjmfziu5bmk9mqwX3zOughiWTovXxVI960iR
25ZzGa0CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQBdQnM2H+iA4TLQWmYqv8Y5
AEL4pYpdBJDvnMvIVMrG3d8lOJe7AkMHPsTGovd+1fbVh8xw+xRc/nsUfmZmWLCM
LeuLAEhdODPP+vNx3sE3cL2rD/eg+eTXLi5ZrdOlojsknuCihxTq/4fo5DimGr2C
8HNAX+x9NyXOPEjK4AdGsP2NOVfPOAr2dHHv7g7OeDo2ElDXmfXtTdL7NZ8NRJoX
8VDlARGp0zNhh/Urn6oFat4MkhyIfvh8wKCA1uQ4jX19NsfdTjjGaI/Y4q6mpTm9
XqisIh5QKQ/3XJI8gz4YSNF5wegI4XQ6Qwp1QQzQozA2y9Qouu7xqKC0eQKv1dYl
-----END CERTIFICATE REQUEST-----

TIP: CSR is not saved on the Load Balancer. Should you have the need to have it again, you will have to generate it one more time using the same steps.

TIP2: The only thing that the Certificate Authority is interesed in, and what you absolutely must send them is the content between the following two lines in the CSR:
 -----BEGIN CERTIFICATE REQUEST-----
And
 -----END CERTIFICATE REQUEST-----
  Step 4 Export the CSR Key to the Standby Load-Balancer

Export the RSA Key to the standby load-balancer,  in order to avoid desynchronization when saving. First export the RSA key from the original load-balancer:

LB_ACTIVE# crypto export CISQUEROSRSAKEY.PEM terminal

MIICXQIBAAKBgQCb0QZ1rVSLgeVyVlj5/Hm9B1HCi1IBv47JiyBhMHpLYvfDwwQ3
uEY+aK8hVfqC5qdY9rAron6sWTx8L6ih8z71kp9WQATMzkwzHQRpUbalSvdaR6e5
PYyBqgmDb1g7+Qj4M3wQv7UWYcyBGEyhOf6sIUVMIAJERN8IaDOvDJkbjQIDAQAB
AoGBAI3CFYZqM0jY3M6xEDIfKQJ47kF4TxuYE2f5U3QYjqqXV6KagfPPitislOhX
OJpvDkE57f1E0MosRYMWOO1eSB/nvvAIod2Fcj9VZoTexKgyykukzZStYvwaEKKV
pdMaoK31H9olTj2zTl6vzzYs59q0YCEPmp1hvr1A1mMKrQ8BAkEAzXSF5RdLBEuD
isc20/z3FkW+tkJwkeNEoTem1knqSVtQTdTVaGjULgtIexJF8NzHdHf1tYYw6w2o
AESr85j2uQJBAMImR+PeDtyWFOatVeqI+ofgFootW6cPUOaNzBVlY7ehhz2ytRWn
9Neu3tW0v85p0iSZCSH+TdPozn65uIW2oXUCQHAVdopRV8qDC8MlBSNHKOEMsYsq
2dCs5J7zBmB3OIpGd5vOVZI9RivMWgFSKbfKKkG+w9wA1iUVcSacUBZ3x3kCQQCY
v9mL1CfJMWNcYj/YeNDzmkDhkfIsLAawfht1MgIUdcebqUCDu1MNZo33gW/vDJ7D
IIxo7FV7Rg1A8wnUWe4JAkBP8dj2BSY2SCsGPZ7VlaJQBalpxdQIMF52bLdsWNAK
LAakpQffg4I2t8MHNKYPuxMfSsmHPkzrNaDpN9Ohk21J
-----END RSA PRIVATE KEY-----

Then copy it to the other (Standby) load-balancer using the command: crypto import terminal CISQUEROSRSAKEY.PEM

LB_STANDBY# crypto import terminal NAME_OF_THE_KEY.KEY
Please enter PEM formatted data. End with "quit" on a new line.
 -----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEAuDU2bvtOg1PiVKxIdvgZHaURfS+Df/eCq+Y7ASRY8PV7vGpl
 ZfDKVh48TTSu7SsMXSlAf0Rrmn67xnbOL13lIth/C7GgCdHYyX4QB+vdhYN10x8M
 PEUQbQlHS8urFBnQsph8CV/2oUjSWUz/UhqLZidsuddaNUiqN2ZFdO/Baa54laKX
YoGWBYwcRbsL+cirrt/7Xh4/vqXzVjAvBacLcSm7nQ5kArVWI8hFYFDiubEIN2LO
 YoGWBYwcRbsL+cirrt/7Xh4/vqXzVjAvBacLcSm7nQ5kArVWI8hFYFDiubEIN2LO
 keV7eoQxaM1rsvyS5WrB3tBzELI6zpTJVWNkSrLVRR2o6kOx/pM/hms4RzLIO87E
 TGMAzCnNLrQ8PpBESPGMLLjnyXo1iPPFIqz+NwIDAQABAoIBAQCCllasfsO+Hi2J
 UUld7awAdBDd6l0Szuh37JNPz/CtgZnijJqtlfIa8vxUz1BjGe197cynbF3L/KQp
 ofexZKMX/Nqz84w86eMBlLjQpMk56WQR8yS9ZUirw7Qja5MwgMyOj8L+8mTpGbLl
 U8x87Ax+stxFMwHkXEsvUvVSXNWEkNGZRafziJ5X+Skw6EFHOGHlJG1KoyHdTfrr
 KijxTDvMSSu4HzOrKSZTgJ3W3Vg963rdvWmhc9lH2VcwcmABtl1yZNCmEvzYVbqO
 s1ipO2tVeFUD5WC3x03rhKOWwF0XVTe/+W57J6i4EZkAuEfrFIfE1YEh5jGftG+E
 esVIszmBAoGBAPFBfuKV7V/zn4+lJc3SsL9FE9g4ay1Cqx6+d/474HlV9YxT1ba7
 09APF5aNnZjeaH0AqgaSm0uErpgkCVzKTweVXNeQj2j3/DTVZaa5hutSt8CFwY8K
 tl5YuG3obH6GL0+bGBdX0fPw7NGtaPggpihi4pgSOTck98hMcRGeXBPxAoGBAMN3
 MBu4t6RVz7bHf5vqbc8c85kt2iWt27VET/uQPlrIJmjN9HwdFnTuA9WNDpXEmvLi
 qG5BNGV0RB1p1EywFkNYroeGxI+TyvfG5jqV7pCMDOuNeBEpMGq1bFtfmUYyjaXe
 y4jORUD2KK1hgSxtR5xourQ7yJo9McjxE1IwZ7ynAoGACjciv0dn6LMxI2zzv9ZX
 A5JSN8qTxzPWeRPJkutIIvsfzZRTLUyguGObNRXEAZARTpGzoVmd18HDfs+v0c0D
 MagCaWJGoEQ32qjaiAe9DcPP4ggH3R2wASiyjnzT8zuNT0qa54oharnd3TcBhdgk
 EPu26oeDArG/CC0scHmLHpECgYATrDdHUvwIqipRtxp80sdihQNvc1H1YN4wDEQQ
 iZ/8+xAClFf69eKAukPghmXlZPhDYdSZ5C4l1+HTJAeeAEr9VDucoE/AM5vF/FrH
 ord0DORwALkI4SBiXQge2ixPCF+BRj8t8bS+qQfHC304v3bpoxDHewzhmS8djkXn
 i7+lGQKBgAvj9zNIWlAmoAGZISt1LMi+MHn2YjWGOUw3HHeX4G8W57s5IpfjOo+u
 xPP7TGErKkfjTx1BaMR6NhsLlAV0fGURS4U38NcFLaUE1Npa3wOwVOPMcJ8Ozmb9
 MNMqY3s2fZ+W9buRAwdK+8dzkSyNnkDlRDKv5Ey5eVCm2Lp0FzHZ
 -----END RSA PRIVATE KEY-----

Most Popular Posts