Saturday, June 9, 2012

DAI Commands


Command
Purpose
Ip arp inspection vlan vlan-range
Global command to enable DAI on this switch for the specified VLANs
[no] ip arp inspection trust
Interface subcommand that enable or disable DAI on the interface.
Ip arp inspection filter arp-acl-name vlan vlan-range [static]
Global command to refer to an ARP ACL that defines static IP/MAC address to be checked by DAI for that VLAN (step-2)
Ip arp inspection validate {[src-mac] [dst-mac] [ip]}
Enables additional optional checking of ARP messages (per step 3-5) in the preceding list)
Ip arp inspection limit {rate pps [burst interval seconds] | none }
Limits the ARP message rate to prevent DoS attacks carried out by sending a large number or ARPs.
  • DAI automatically sets a limit of 15 ARP messages per port per second to mitigate that risk
  • ip arp inspection limit  uses to change these default value