How to configure DAI on Extreme Summit for static IP

By | 27.05.2019

This article describes the case in which you need to configure ARP spoofing protection and clients are configured with static IP addresses.
On Extreme Summit we can use ACL instead of DAI:

Im using XOS embedded edititor for ACL creation and modification. Very similar to Linux VI:

exos# edit policy acl-in-port-1

Here we are allowing all ARPs from host 10.10.10.2/32. All other ARPs will be dropped. Also, im using counter of dropped packets.

entry allow-arps { 
 if match all { 
     ethernet-type 0x0806;
     arp-sender-address 10.10.10.2 mask 255.255.255.255;
 }
 then {
     permit;
 }
 }
 entry deny-any-other-arp { 
 if match all { 
     ethernet-type 0x0806;
 }
 then {
     deny;
     count dropped-invalid-arp;
 }
 }

In next step we need to attach ACL to users port:

configure access-list acl-in-port-1 ports 1 ingress

After all configuration is done, we can check counters on port:

# sh access-list counter ports 1
Policy Name       Vlan Name        Port   Direction  
    Counter Name                   Packet Count         Byte Count           
==================================================================
acl-in-port-1    *                1     ingress   
    dropped-invalid-arp            0                                         
Subscribe
Notify of

0 комментариев
Oldest
Newest
Inline Feedbacks
View all comments