Dai Configuration Guidelines And Restrictions; Dai Configuration Example - Lenovo RackSwitch G8264 Application Manual

DAI Configuration Guidelines and Restrictions

DAI Configuration Example

408
G8264 Application Guide for ENOS 8.4
When configuring DAI, follow these guidelines and restrictions:
 DAI is an ingress security feature; it does not perform any egress checking.
 DAI is not effective for hosts connected to switches that do not support DAI or
that do not have this feature enabled. Because man‐in‐the‐middle attacks are
limited to a single Layer 2 broadcast domain, separate the domain with DAI
checks from the one with no checking. This action secures the ARP caches of
hosts in the domain enabled for DAI.
 DAI depends on the entries in the DHCP snooping binding database to verify
IP‐to‐MAC address bindings in incoming ARP requests and ARP responses.
 For non‐DHCP environments, for each static IP address add a static DHCP
Snooping binding entry with the biggest lease time in order not to expire.
 Ports belonging to a port‐channel must have the same trust state.
Following is the configuration for the example in Figure
SwitchA(config)# interface port 1­3
SwitchA(config­if)# switchport access vlan 2
SwitchA(config)# interface port 1­2
SwitchA(config­if)# ip arp inspection trust
SwitchA(config­if)# exit
SwitchA(config)# interface port 3
SwitchA(config­if)# no ip arp inspection trust
SwitchA(config­if)# exit
SwitchA(config)# ip arp inspection vlan 2
SwitchB(config)# interface port 2­3
SwitchB(config­if)# switchport access vlan 2
SwitchB(config)# interface port 2
SwitchB(config­if)# ip arp inspection trust
SwitchB(config­if)# exit
SwitchB(config)# interface port 3
SwitchB(config­if)# no ip arp inspection trust
SwitchB(config­if)# exit
SwitchB(config)# ip arp inspection vlan 2
36.