Hello!
I have Dynamic ARP Inspection and IP Source Guard implemented on my campus. We are using Cisco 3750X, running IOS 15.2(4)E5.
Edit: Yes, I know that DHCP hosts use DHCP snooping binding table. I am not concerned about that.
For static IP devices, I was always under the impression that I needed to do all of the following, to make it work with both DAI and IPSG.
arp access-list DAI-Vlan1234 permit ip host 1.2.3.4 mac host feed.dead.beef ip arp inspection filter DAI-Vlan1234 ip arp inspection vlan 1234 ip source binding feed.dead.beef vlan 1234 1.2.3.4 interface Gi1/0/1
However, I came across a switch that was missing the "ip arp inspection filter" command - yet everything was still working. (Even after clearing ARP cache). Further testing led me to the below (much simpler) configuration, which also seems to work.
ip arp inspection vlan 1234 ip source binding feed.dead.beef vlan 1234 1.2.3.4 interface Gi1/0/1
This has now made me beleive that DAI uses the following sources for its information:
- DHCP Snooping binding table
- ARP Access list (if configured with the "ip arp inspection filter" command)
- All available "ip source binding" commands
Can anyone verify that this is true? Obviously, my testing shows that it is - but I was looking to see if it was a fluke, some oddity that I don't know about, or intended behavior.
Thanks for your input!
No comments:
Post a Comment