DAI - Dynamic ARP Inspection

(config)#ip arp inspection vlan 2 <--- Inspect ARP within the VLAN 2

You can create a ARP Access List and map the IP to MAC, and apply it to DAI:
 (config)#arp access-list ARP_ACL_20
 (config-arp-nacl)#permit ip host 20.1.1.2 mac host 0000.1111.1111
 (config-arp-nacl)#permit ip host 20.1.1.3 mac host 0000.3333.3333
And now APPLY:
 (config)#ip arp inspection filter ARP_ACL_20 vlan 2

 #show ip arp inspection

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
    2     Enabled          Active      ARP_ACL_20         No

 Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
    2     Deny             Deny              Off

 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
    2              0              0              0              0

The switch CPU performs dynamic ARP inspection validation checks; therefore,
the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack.
(config-if)#ip arp inspection limit rate 5 <--- DEFAULT IS 15 PPS (packets per second)

#show ip arp inspection interfaces

 Interface        Trust State     Rate (pps)    Burst Interval
 ---------------  -----------     ----------    --------------
 Gi3/0/1          Untrusted                5                 1 <--- THE CHANGED ONE
 Gi3/0/2          Untrusted               15                 1 <--- 15 pps IS THE DEFAULT VALUE

To monitor the DROPPED packets due to DAI:
(config)#ip arp inspection log-buffer logs 0 interval 5 <--- LOG 0 - NO SYSTEM MESSAGE GENERATED

Check the log for details:
#show ip arp inspection log
Total Log Buffer Size : 32
Syslog rate : 0 entries per 5 seconds.

No comments:

Post a Comment

Most Popular Posts