This article describes the case in which you need to configure ARP spoofing protection and clients are configured with static IP addresses.
On Extreme Summit we can use ACL instead of DAI:
Im using XOS embedded edititor for ACL creation and modification. Very similar to Linux VI:
exos# edit policy acl-in-port-1
Here we are allowing all ARPs from host 10.10.10.2/32. All other ARPs will be dropped. Also, im using counter of dropped packets.
entry allow-arps {
if match all {
ethernet-type 0x0806;
arp-sender-address 10.10.10.2 mask 255.255.255.255;
}
then {
permit;
}
}
entry deny-any-other-arp {
if match all {
ethernet-type 0x0806;
}
then {
deny;
count dropped-invalid-arp;
}
}
In next step we need to attach ACL to users port:
configure access-list acl-in-port-1 ports 1 ingress
After all configuration is done, we can check counters on port:
# sh access-list counter ports 1
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
acl-in-port-1 * 1 ingress
dropped-invalid-arp 0