(config)#ip arp inspection vlan 2 <--- Inspect ARP within the VLAN 2
You can create a ARP Access List and map the IP to MAC, and apply it to DAI:
(config)#arp access-list ARP_ACL_20
(config-arp-nacl)#permit ip host 20.1.1.2 mac host 0000.1111.1111
(config-arp-nacl)#permit ip host 20.1.1.3 mac host 0000.3333.3333
And now APPLY:
(config)#ip arp inspection filter ARP_ACL_20 vlan 2
#show ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
2 Enabled Active ARP_ACL_20 No
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
2 Deny Deny Off
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
2 0 0 0 0
The switch CPU performs dynamic ARP inspection validation checks; therefore,
the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack.
(config-if)#ip arp inspection limit rate 5 <--- DEFAULT IS 15 PPS (packets per second)
#show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Gi3/0/1 Untrusted 5 1 <--- THE CHANGED ONE
Gi3/0/2 Untrusted 15 1 <--- 15 pps IS THE DEFAULT VALUE
To monitor the DROPPED packets due to DAI:
(config)#ip arp inspection log-buffer logs 0 interval 5 <--- LOG 0 - NO SYSTEM MESSAGE GENERATED
Check the log for details:
#show ip arp inspection log
Total Log Buffer Size : 32
Syslog rate : 0 entries per 5 seconds.
Subscribe to:
Post Comments (Atom)
Most Popular Posts
-
Before we start, lets once again make sure we fully understand what Bridge Domain is. The bridge domain can be compared to a giant distribut...
-
Ever since Cisco bought Insieme and created Cisco ACI, and VMware bought Nicira and created NSX, I've been intensively deep-diving and b...
-
[In collaboration with the guest blogger, Marc Espinosa ] Let's start with the messaging protocols, MQTT and CoAP, and consider which ...
-
By know you should know the following facts about ACI: Cisco Nexus 9k Switches make the ACI Fabric, which is the Control and the Data pla...
-
Get ready to have your mind blown. One of the easiest procedures I've encountered. You just need to follow these 3 steps, to migrate the...
-
The VM-Series firewall for VMware NSX is jointly developed by Palo Alto Networks and VMware. NetX APIs are used to integrate the Palo Alto N...
-
Google has made their Cloud Platform (GCP) so that you can host your application any way your business requires. When we talk about the ...
-
First time we “unpack” ACI, we will find a certain number of potential Spine and potential Leaf switches, and hopefully 3 (or 5) APIC Contro...
-
Narbik Topology for web-iou Disclaimer: I DON’T OWN NOR HAVE AN ACCESS TO THE TOPOLOGY, INITIAL CONFIGS, IOU/IOL BINARIES OR ANY OTHER ...
-
Before I get into the Python for NX-OS, let me explain a few concepts that I've seen Network Engineers have been struggling with. Dev...
No comments:
Post a Comment