Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 11
Registered: ‎01-25-2011

Dynamic ARP Inspection (DAI) on an FCX stack - Trunk Question

I have an FCX stack running the R07202d image and I need to enable some sort of DAI mechanism to satisfy a PCI requirement.  As I read through the documentation, I see the following line, which concerns me:

  • Brocade recommends that you do not enable DAI on a trunk port.

Well..... Probably 90%+ of my host connections are technically "trunks" using either static trunk groups or 802.3ad link aggregation.  Do I need to be concerned?  Has anyone run into any issues with DAI and trunks?

Thanks in advance,

Chris

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Dynamic ARP Inspection (DAI) on an FCX stack - Trunk Question

Hi,

     I do not know the answer, but would suggest you log a TAC ticket to find out the resion why they do not and if it applies to your setup.

     Or even better would be someone from Brocade to answer this question here so we can all learn.

Thanks

Michael.

Occasional Contributor
Posts: 11
Registered: ‎01-25-2011

Re: Dynamic ARP Inspection (DAI) on an FCX stack - Trunk Question

Well, the short answer from Brocade is that because there are multiple MAC addresses shared across the trunk ports, it could have the potential for some high CPU.  It sounds like it can technically be done, but in an 'at your own risk' and/or 'unsupported' type implementation.

So, I can't do Port Security with trunks or link aggregation....

  • "MAC port security is not supported on static trunk group members or ports that are configured for link aggregation."

I can't do DAI with trunks or link aggregation for risk of pegging the CPU.....maybe.....

  • "Brocade recommends that you do not enable DAI on a trunk port."

What options do I have in order to prevent ARP poisoning?

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Dynamic ARP Inspection (DAI) on an FCX stack - Trunk Question

Hi cmaier,

     Well DAI is the way to protect against ARP poisoning.

     I suggets you base line your set (if you have INM or Network advisor you can config it to get the CPU states) then enable DIA and see if the CPU does ever hit really high.

     on very large networks I can see that this could be a problem, but if you are small to medimum in size then you may be ok.  How manay MAC address are in you tables?  If you can lab it even bettter, if not then you may have to suck it and see.

Thanks

Michael.

Occasional Contributor
Posts: 11
Registered: ‎01-25-2011

Re: Dynamic ARP Inspection (DAI) on an FCX stack - Trunk Question

lab.....  that's a good one...  been begging for one ever since I started here.

I have a total of 200 entries in my current ARP table.  I've been collecting CPU data for months now, so I should be able to see what this does Friday night.  I think I'll be OK, as my setup is fairly small.

So here's another question for you.  I have a handful of devices that are in an HA configuration.  As such, a single IP can share more than one MAC address.  Can I enter more than one inspection ARP entry for a single IP address, or would the best option be to just make those trusted ports?

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Dynamic ARP Inspection (DAI) on an FCX stack - Trunk Question

Hi cmaier,

     I would make them trusted.  Are you using VRRP-E or VRRP?

Thanks

Michael.

Occasional Contributor
Posts: 11
Registered: ‎01-25-2011

Re: Dynamic ARP Inspection (DAI) on an FCX stack - Trunk Question

Change of plans.  I was able to figure out how to avoid making the change in order to satisfy the compliance issue.  YAY!!  No DAI needed!!!

Nonetheless, thank you for your feedback and suggestions.

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Dynamic ARP Inspection (DAI) on an FCX stack - Trunk Question

You are most welcome cmaier.  Have a good weeekend.

Thanks

Michael.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook