D-Link DGS-6600-48TS Configuration Guide - Page 456
Dynamic ARP Inspection Configuration Commands, IP ARP inspection trust
View all D-Link DGS-6600-48TS manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 456 highlights
Volume 8-Security & Authentication / Chapter 42-Dynamic ARP Inspection Dynamic ARP Inspection Configuration Commands Appropriate processing of packets that pass the inspection and sending them to their destinations, according to the DHCP snooping binding database, whether ARP packets is valid or not can be checked. For details, refer to DHCP Snooping Configuration. Dynamic ARP Inspection Configuration Commands IP ARP inspection trust ARP packets are checked according to the trust status of each port on the device. DAI check is ignored for the packets that are received through trust ports and are considered as legal ARP packets. DAI check will be performed strictly for the ARP packets that are received through untrusted ports. In a typical network configuration, layer 2 port connected to the network device should be set as a trust port, and layer 2 port connected to the host device should be set as an un-trusted port. Use the command ip arp inspection trust to trust an interface for dynamic ARP inspection. Use the no form of the command to disable the trust state. When an interface is in ip arp inspection trust state, the ARP packets arriving at the interface will not be inspected. When an interface is in ip arp inspection un-trusted state, the ARP packets arriving at the port and belong to the VLAN that is enabled for inspection will be inspected. Example This example shows how to configure port 3.3 to be trusted for DAI: DGS-6600# configure terminal DGS-6600(config)# interface eth3.3 DGS-6600(config-if)# ip arp inspection trust DGS-6600(config-if)# IP ARP inspection validate Use the ip arp inspection validate command to specify the additional checks to be performed during ARP inspection check. Syntax Description Explanation src-mac (Optional) Specify to check, for both ARP request response packets, the consistency of the source MAC address in the Ethernet header against the sender MAC address in the ARP payload. dst-mac (Optional) Specify to check, for ARP response packets, the consistency of the destination MAC address in the Ethernet header against the target MAC address in the ARP payload. DGS-6600 Configuration Guide 456