Ethernet Switches & Routers

Reply
New Contributor
Posts: 2
Registered: ‎08-25-2008

Dynamic ARP Inspection - New Hosts on Untrusted Ports

Hello,

I'm looking into enabling Dynamic ARP Inspection for a VLAN on one of my Brocade switches.  According to the documentation all ports are untrusted and I should setup Inspection ARP entries for the hosts I want to trust.  There's no problem with that but I was wondering what should I do when there's new hosts connecting to this switch?  The port will be untrusted and the new host will not have an IP address yet because we use DHCP.  How should I go about adding new hosts to DAI enabled VLANs?

Thanks,

Dan

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Dynamic ARP Inspection - New Hosts on Untrusted Ports

Hi Dan,

     I have not done this however I did find the below from the Config Guide.

Support for dynamic ARP inspection with dynamic ACLs

Multi-device port authentication and Dynamic ARP Inspection (DAI) are supported in conjunction with dynamic ACLs. Support is available in the Layer 3 software images only.

DAI is supported together with multi-device port authentication as long as ACL-per-port-per-vlan is enabled. Otherwise, you do not need to perform any extra configuration steps to enable support with dynamic ACLs. When these features are enabled on the same port/VLAN, support is automatically enabled.

Support for DHCP snooping with dynamic ACLs

Multi-device port authentication and DHCP snooping are supported in conjunction with dynamic ACLs. Support is available in the Layer 3 software images only.

DHCP Snooping is supported together with multi-device port authentication as long as ACL-per-port-per-vlan is enabled. Otherwise, you do not need to perform any extra configuration steps to enable support with dynamic ACLs. When these features are enabled on the same

port/VLAN, support is automatically enabled.

Thanks

Michael.

New Contributor
Posts: 2
Registered: ‎08-25-2008

Re: Dynamic ARP Inspection - New Hosts on Untrusted Ports

I was wondering if i should enable DHCP snooping too.  Would DAI prevent the new clients from acquiring a DHCP address?

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Dynamic ARP Inspection - New Hosts on Untrusted Ports

Hi Dan,

     DAI will not effect it as long as DHCP snooping is on.  However once the client gets the IP address then (and the client is on an untrusted port) then DAI will block it ARP.  You would need to create the mapping for DAI.

Thanks

Michael.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook