Table 11. Feature History Table
Feature Name
|
Release Information
|
Description
|
Dynamic Address Resolution Protocol (ARP) Inspection (DAI)
|
Release 7.9.1
|
The routers can now determine the validity of an Address Resolution Protocol (ARP) packet based on valid MAC address to IP
address bindings stored in a trusted database built at runtime by DHCP snooping.
With this feature, the router relays only the valid ARP requests and responses, thus preventing the ARP poisoning attacks.
This feature introduces the following:
|
Dynamic ARP Inspection (DAI) prevents the Address Resolution Protocol (ARP) poisoning attacks by intercepting all ARP requests
and responses. Each traffic packet is verified for valid MAC address to IP address bindings before the local ARP cache is
updated or when the traffic packet is sent to the appropriate destination. The router drops the invalid ARP packets. The DAI
determines the validity of an ARP packet based on valid MAC address, Source IP address, and Source Interface information available
in the DHCP snooping entries available in the router.. In addition, DAI can also validate ARP packets against user-configured
ARP ACLs to handle hosts that use statically configured IP addresses. You cn configure the DAI to drop ARP packets when the
IP addresses in the packet are invalid or when the MAC addresses in the body of the ARP packet don’t match the addresses specified
in the Ethernet header.
Prerequisites
To configure the Dynamic ARP Inspection, do the following:
Configuration
Router# configure
Enters the Global Configuration mode.
Router(config)# l2vpn
Enters the l2vpn configuration mode.
Router(config-l2vpn)# bridge group csco
Creates a bridge group so that it can contain bridge domains and then assigns network interfaces to the bridge domain.
Router(config-l2vpn-bg)# bridge-domain abc
Establishes a bridge domain and enters l2vpn bridge group bridge domain configuration mode.
Router(config-l2vpn-bg-bd)# dynamic-arp-inspection logging
Configures logging for dynamic ARP inspection configuration submode.
Router(config-l2vpn-bg-bd)# dynamic-arp-inspection address-validation
Configures logging for dynamic ARP inspection configuration submode.
Router(config-l2vpn-bg-bd)# commit
Router(config-l2vpn-bg-bd)# exit
Running Configuration
Router(config)# show runnig-config l2vpn
l2vpn
bridge group csco
bridge-domain abc
dynamic-arp-inspection logging
dynamic-arp-inspection address-validation
!
!
!
Verification
Router(config)# show l2vpn bridge-domain abc detail
Legend: pp = Partially Programmed.
Bridge group: evpn-aa-irb-inter, bridge-domain: evpn, id: 1797, state: up, ShgId: 0, MSTi: 0
Coupled state: disabled
VINE state: EVPN-IRB
MAC learning: enabled
MAC withdraw: enabled
MAC withdraw for Access PW: enabled
MAC withdraw sent on: bridge port up
MAC withdraw relaying (access to access): disabled
Flooding:
Broadcast & Multicast: enabled
Unknown unicast: enabled
MAC aging time: 300 s, Type: inactivity
MAC limit: 64000, Action: none, Notification: syslog
MAC limit reached: no, threshold: 99%
MAC port down flush: enabled
MAC Secure: disabled, Logging: disabled
Split Horizon Group: none
Dynamic ARP Inspection: enabled, Logging: enabled
IP Source Guard: disabled, Logging: disabled
DHCPv4 Snooping: disabled
DHCPv4 Snooping profile: none
IGMP Snooping: disabled
IGMP Snooping profile: none
MLD Snooping profile: none
Storm Control: disabled
Bridge MTU: 1500
MIB cvplsConfigIndex: 1798
Filter MAC addresses:
P2MP PW: disabled
Multicast Source: Not Set
Create time: 11/12/2020 02:02:56 (04:55:20 ago)
No status change since creation
ACs: 2 (2 up), VFIs: 0, PWs: 0 (0 up), PBBs: 0 (0 up), VNIs: 0 (0 up)
List of EVPNs:
EVPN, state: up
evi: 2001
XC ID 0x800006a7
Statistics:
packets: received 0 (unicast 0), sent 0
bytes: received 0 (unicast 0), sent 0
MAC move: 0
List of ACs:
AC: BVI10001, state is up
Type Routed-Interface
MTU 2000; XC ID 0x80000fa3; interworking none
BVI MAC address:
0088.0088.0088
Split Horizon Group: Access
PD System Data: AF-LIF-IPv4: 0x00000000 AF-LIF-IPv6: 0x00000000 FRR-LIF: 0x00000000
AC: Bundle-Ether30001.2001, state is up
Type VLAN; Num Ranges: 1
Outer Tag: 3001
Rewrite Tags: []
VLAN ranges: [2001, 2001]
MTU 1500; XC ID 0xa00005e0; interworking none; MSTi 1
MAC learning: enabled
Flooding:
Broadcast & Multicast: enabled
Unknown unicast: enabled
MAC aging time: 300 s, Type: inactivity
MAC limit: 64000, Action: none, Notification: syslog
MAC limit reached: no, threshold: 99%
MAC port down flush: enabled
MAC Secure: disabled, Logging: disabled
Split Horizon Group: none
E-Tree: Root
Dynamic ARP Inspection: disabled, Logging: disabled
IP Source Guard: disabled, Logging: disabled
DHCPv4 Snooping: disabled
DHCPv4 Snooping profile: none
IGMP Snooping: disabled
IGMP Snooping profile: none
MLD Snooping profile: none
Storm Control: bridge-domain policer
Static MAC addresses:
Statistics:
packets: received 404672709 (multicast 0, broadcast 0, unknown unicast 0, unicast 0), sent 0
bytes: received 30835628366 (multicast 0, broadcast 0, unknown unicast 0, unicast 0), sent 0
MAC move: 0
Storm control drop counters:
packets: broadcast 0, multicast 0, unknown unicast 0
bytes: broadcast 0, multicast 0, unknown unicast 0
Dynamic ARP inspection drop counters:
packets: 0, bytes: 0
IP source guard drop counters:
packets: 0, bytes: 0
PD System Data: AF-LIF-IPv4: 0x00018919 AF-LIF-IPv6: 0x0001891a FRR-LIF: 0x00000000
List of Access PWs:
List of VFIs:
List of Access VFIs: