Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Dynamic ARP Inspection in Nexus 1000v

    Hochgeladen von

    Umair Alam
    16 Ansichten6 Seiten
    The document discusses configuring Dynamic ARP Inspection on a Nexus 1000v virtual switch to validate ARP requests and responses using the DHCP snooping binding table. It shows enabling DHCP snooping and ARP inspection on VLAN 111, clearing the binding table to cause ARP requests to be dropped, and restoring connectivity by renewing DHCP leases to repopulate the binding table.

    Originalbeschreibung:

    ucss

    Originaltitel

    UCS_7_013_Nexus1000v_dARP

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    The document discusses configuring Dynamic ARP Inspection on a Nexus 1000v virtual switch to validate ARP requests and responses using the DHCP snooping binding table. It shows enabling DHCP snooping and ARP inspection on VLAN 111, clearing the binding table to cause ARP requests to be dropped, and restoring connectivity by renewing DHCP leases to repopulate the binding table.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    16 Ansichten6 Seiten

    Dynamic ARP Inspection in Nexus 1000v

    Hochgeladen von

    Umair Alam
    The document discusses configuring Dynamic ARP Inspection on a Nexus 1000v virtual switch to validate ARP requests and responses using the DHCP snooping binding table. It shows enabling DHCP snooping and ARP inspection on VLAN 111, clearing the binding table to cause ARP requests to be dropped, and restoring connectivity by renewing DHCP leases to repopulate the binding table.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 6

    UCS Technology Labs Nexus 1000v on UCS

    Dynamic ARP Inspection in Nexus 1000v


    Last updated: April 11, 2013

    Task
    Provision N1Kv to inspect all ARP traffic in VLAN 111, and drop it if there is not a corresponding
    entry for the MAC address to IP to requesting interface bound together in the table.

    Configuration
    IP ARP inspection is predicated on the DHCP Snooping Binding database table to validate MAC
    address to interface. Turn on DHCP snooping and IP ARP inspection for VLAN 111. We were
    asked to also inspect for matching IP addresses, so we'll add that argument.
    On N1Kv:

    svs switch edition advanced


    feature dhcp
    ip dhcp snooping
    ip dhcp snooping vlan 111
    ip arp inspection vlan 111
    ip arp inspection validate src-mac ip

    Verification
    Let's first try to erase our ARP cache on Win2k8-www-1 and try to ping an IP on the same
    subnet as one of our adapters to make sure that ARP works properly. It looks like we can. This
    is because we have just set up DHCP snooping and had already populated the table in the
    previous task.

    FEEDBACK

    On N1Kv, let's look at the IP ARP inspection statistics. We see matches for permits, and
    nothing dropped so far.

    N1Kv-01(config)# sh ip arp inspection vlan 111


    Source Mac Validation

    : Enabled

    Destination Mac Validation


    IP Address Validation

    : Disabled
    : Enabled

    Filter Mode (for static bindings): IP-MAC


    Vlan : 111
    ----------Configuration

    : Enabled

    Operation State

    : Active

    DHCP logging options : Deny


    N1Kv-01(config)# sh ip arp inspection statistics vlan 111
    Vlan : 111
    ----------ARP Req Forwarded = 24
    ARP Res Forwarded = 6
    ARP Req Dropped

    =0

    ARP Res Dropped

    =0

    DHCP Drops

    =0

    DHCP Permits

    = 14

    SMAC Fails-ARP Req = 0


    SMAC Fails-ARP Res = 0
    DMAC Fails-ARP Res = 0
    IP Fails-ARP Req

    =0

    IP Fails-ARP Res

    =0

    N1Kv-01(config)#

    What will happen if we clear the DHCP Snooping Binding database?

    N1Kv-01(config)# clear ip dhcp snooping binding


    N1Kv-01(config)# sh ip dhcp snooping binding
    MacAddress

    IpAddress

    LeaseSec Type

    VLAN Interface

    ----------------- --------------- -------- ---------- ---- -----------N1Kv-01(config)#

    Let's clear the ARP table on Win2k8-www-1 again, and try to ping. It is clear that we have a
    problem; IP ARP inspection is doing its job and blocking our request (because we don't have a
    corresponding entry in the DHCP snooping table).

    On N1Kv, let's look again at the IP ARP inspection statistics. We see now see ARP Reqs
    dropped.

    N1Kv-01(config)# sh ip arp inspection vlan 111


    Source Mac Validation

    : Enabled

    Destination Mac Validation


    IP Address Validation

    : Disabled
    : Enabled

    Filter Mode (for static bindings): IP-MAC


    Vlan : 111
    ----------Configuration

    : Enabled

    Operation State

    : Active

    DHCP logging options : Deny


    N1Kv-01(config)# sh ip arp inspection statistics vlan 111
    Vlan : 111
    ----------ARP Req Forwarded = 24
    ARP Res Forwarded = 6
    ARP Req Dropped

    =4

    ARP Res Dropped

    =0

    DHCP Drops

    =0

    DHCP Permits

    = 14

    SMAC Fails-ARP Req = 0


    SMAC Fails-ARP Res = 0
    DMAC Fails-ARP Res = 0
    IP Fails-ARP Req

    =0

    IP Fails-ARP Res

    =0

    N1Kv-01(config)#

    But if we ask the DHCP server to renew our DHCP again, we should see it repopulated in the
    database and be able to ping again. Note here that you MUST do a DHCP Release and then a
    DHCP Renew; otherwise, the VM guest already knows its DHCP server and will attempt to
    unicast it - which will fail because of ARP inspection. We will need to release and renew on both
    VM guests, but screen shots for just one are shown because they are identical in execution.
    Release.

    Renew.

    We see the DHCP Snooping Binding database restored, and pings should work again.

    N1Kv-01(config)# sh ip dhcp snooping binding


    MacAddress

    IpAddress

    LeaseSec Type

    VLAN Interface

    ----------------- --------------- -------- ---------- ---- -----------00:50:56:bb:40:4c 10.0.111.2

    86392

    dhcp-snoop 111

    Vetherne

    86082

    dhcp-snoop 111

    Vethernet

    t16
    00:50:56:bb:73:8c 10.0.111.1
    15
    N1Kv-01(config)#

    We try the ping again, and connectivity is restored!

    ^ back to top

    Disclaimer (http://www.ine.com/feedback.htm) | Privacy Policy (http://www.ine.com/resources/)


    Inc., All Rights Reserved (http://www.ine.com/about-us.htm)

    2013 INE

    Das könnte Ihnen auch gefallen