Filter
Top Products
46-5
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 46 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
Port Channels Function
A given physical port can join a channel only when the trust state of the physical port and of the channel
match. Otherwise, the physical port remains suspended in the channel. A channel inherits its trust state
from the first physical port that joined the channel. Consequently, the trust state of the first physical port
need not match the trust state of the channel.
Conversely, when the trust state is changed on the channel, the new trust state is configured on all the
physical ports that comprise the channel.
The rate limit check on port channels is unique. The rate of incoming packets on a physical port is
checked against the port channel configuration rather than the physical ports’ configuration.
The rate limit configuration on a port channel is independent of the configuration on its physical ports.
The rate limit is cumulative across all physical ports; that is, the rate of incoming packets on a port
channel equals the sum of rates across all physical ports.
When you configure rate limits for ARP packets on trunks, you must account for VLAN aggregation
because a high rate limit on one VLAN can cause a denial of service attack to other VLANs when the
port is error-disabled by software. Similarly, when a port channel is error-disabled, a high rate limit on
one physical port can cause other ports in the channel to go down.
Configuring Dynamic ARP Inspection
These sections describe how to configure DAI on your switch:
• Configuring Dynamic ARP Inspection in DHCP Environments, page 46-5 (required)
• DAI Configuration Example, page 46-7
• Configuring ARP ACLs for Non-DHCP Environments, page 46-11 (optional)
• Configuring the Log Buffer, page 46-14 (optional)
• Limiting the Rate of Incoming ARP Packets, page 46-16 (optional)
• Performing Validation Checks, page 46-19 (optional)
Configuring Dynamic ARP Inspection in DHCP Environments
This procedure shows how to configure dynamic ARP inspection when two switches support this
feature. Host 1 is connected to Switch A, and Host 2 is connected to Switch B as shown in Figure 46-3.
Both switches are running DAI on VLAN 100 where the hosts are located. A DHCP server is connected
to Switch A. Both hosts acquire their IP addresses from the same DHCP server. Switch A has the
bindings for Host 1, and Switch B has the bindings for Host 2.