Escolar Documentos
Profissional Documentos
Cultura Documentos
Task
Provision N1Kv to inspect all ARP traffic in VLAN 111, and drop it if there is not a corresponding
entry for the MAC address to IP to requesting interface bound together in the table.
Configuration
IP ARP inspection is predicated on the DHCP Snooping Binding database table to validate MAC
address to interface. Turn on DHCP snooping and IP ARP inspection for VLAN 111. We were
asked to also inspect for matching IP addresses, so we'll add that argument.
On N1Kv:
Verification
Let's first try to erase our ARP cache on Win2k8-www-1 and try to ping an IP on the same
subnet as one of our adapters to make sure that ARP works properly. It looks like we can. This
is because we have just set up DHCP snooping and had already populated the table in the
previous task.
FEEDBACK
On N1Kv, let's look at the IP ARP inspection statistics. We see matches for permits, and
nothing dropped so far.
: Enabled
: Disabled
: Enabled
: Enabled
Operation State
: Active
=0
=0
DHCP Drops
=0
DHCP Permits
= 14
=0
IP Fails-ARP Res
=0
N1Kv-01(config)#
IpAddress
LeaseSec Type
VLAN Interface
Let's clear the ARP table on Win2k8-www-1 again, and try to ping. It is clear that we have a
problem; IP ARP inspection is doing its job and blocking our request (because we don't have a
corresponding entry in the DHCP snooping table).
On N1Kv, let's look again at the IP ARP inspection statistics. We see now see ARP Reqs
dropped.
: Enabled
: Disabled
: Enabled
: Enabled
Operation State
: Active
=4
=0
DHCP Drops
=0
DHCP Permits
= 14
=0
IP Fails-ARP Res
=0
N1Kv-01(config)#
But if we ask the DHCP server to renew our DHCP again, we should see it repopulated in the
database and be able to ping again. Note here that you MUST do a DHCP Release and then a
DHCP Renew; otherwise, the VM guest already knows its DHCP server and will attempt to
unicast it - which will fail because of ARP inspection. We will need to release and renew on both
VM guests, but screen shots for just one are shown because they are identical in execution.
Release.
Renew.
We see the DHCP Snooping Binding database restored, and pings should work again.
IpAddress
LeaseSec Type
VLAN Interface
86392
dhcp-snoop 111
Vetherne
86082
dhcp-snoop 111
Vethernet
t16
00:50:56:bb:73:8c 10.0.111.1
15
N1Kv-01(config)#
^ back to top
2013 INE