DAI - Dynamic ARP Inspection
Share this page:(config)#ip arp inspection vlan 2 <— Inspect ARP within the VLAN 2
You can create a ARP Access List and map the IP to MAC, and apply it to DAI:
** (config)#arp access-list ARP_ACL_20**
** (config-arp-nacl)#permit ip host 20.1.1.2 mac host 0000.1111.1111**
** (config-arp-nacl)#permit ip host 20.1.1.3 mac host 0000.3333.3333**
And now APPLY:
** (config)#ip arp inspection filter ARP_ACL_20 vlan 2**
** #show ip arp inspection**
**Source Mac Validation : Disabled**
**Destination Mac Validation : Disabled**
**IP Address Validation : Disabled**
** Vlan Configuration Operation ACL Match Static ACL**
** —- ————- ——— ——— ———-**
** 2 Enabled Active ARP_ACL_20 No**
** Vlan ACL Logging DHCP Logging Probe Logging**
** —- ———– ———— ————-**
** 2 Deny Deny Off**
** Vlan Forwarded Dropped DHCP Drops ACL Drops**
** —- ——— ——- ———- ———**
** 2 0 0 0 0**
The switch CPU performs dynamic ARP inspection validation checks; therefore,
the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack.
(config-if)#ip arp inspection limit rate 5 <— DEFAULT IS 15 PPS (packets per second)
#show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
————— ———– ———- ————–
Gi3/0/1 Untrusted 5 1 <— THE CHANGED ONE
Gi3/0/2 Untrusted 15 1 <— 15 pps IS THE DEFAULT VALUE
To monitor the DROPPED packets due to DAI:
(config)#ip arp inspection log-buffer logs 0 interval 5 <— LOG 0 - NO SYSTEM MESSAGE GENERATED
Check the log for details:
#show ip arp inspection log
Total Log Buffer Size : 32
Syslog rate : 0 entries per 5 seconds.