392 | Dynamic Host Configuration Protocol (DHCP)w w w . d e l l . c o m | s u p p o r t . d e l l . c o m • denial of service—an attacker can send a fraudulent ARP messages to a client to associate a falseMAC address with the gateway address, which would blackhole all internet-bound packets from theclient.View the number of entries in the ARP database with the show arp inspection database command.FTOS#show arp inspection databaseProtocol Address Age(min) Hardware Address Interface VLAN CPU----------------------------------------------------------------------------Internet 10.1.1.251 - 00:00:4d:57:f2:50 Gi 0/2 Vl 10 CPInternet 10.1.1.252 - 00:00:4d:57:e6:f6 Gi 0/1 Vl 10 CPInternet 10.1.1.253 - 00:00:4d:57:f8:e8 Gi 0/3 Vl 10 CPInternet 10.1.1.254 - 00:00:4d:69:e8:f2 Te 0/50 Vl 10 CPFTOS#Note: DAI uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM entry isrequired for every DAI-enabled VLAN. You can enable DAI on up to 16 VLANs on a system. However, theExaScale default CAM profile allocates only 9 entries to the L2SysFlow region for DAI. You can configure10 to 16 DAI-enabled VLANs by allocating more CAM space to the L2SysFlow region before enablingDAI.SystemFlow has 102 entries by default. This region is comprised of two sub-regions: L2Protocol andL2SystemFlow. L2Protocol has 87 entries, and L2SystemFlow has 15 entries. Six L2SystemFlow entriesare used by Layer 2 protocols, leaving 9 for DAI. L2Protocol can have a maximum of 100 entries, and thisregion must be expanded to capacity before you can increase the size of L2SystemFlow. This is relevantwhen you are enabling DAI on VLANs. If, for example, you want to enable DAI on 16 VLANs, you need 7more entries; in this case, reconfigure the SystemFlow region for 122 entries:layer-2 eg-acl value fib value frrp value ing-acl value learn value l2pt value qos value system-flow 122The logic is as follows:L2Protocol has 87 entries by default and must be expanded to its maximum capacity, 100 entries, beforeL2SystemFlow can be increased; therefore 13 more L2Protocol entries are required. L2SystemFlow has15 entries by default, but only 9 are for DAI; to enable DAI on 16 VLANs, 7 more entries are required. 87L2Protocol + 13 additional L2Protocol + 15 L2SystemFlow + 7 additional L2SystemFlow equals 122.Step Task Command Syntax Command Mode1 Enable DHCP Snooping.2 Validate ARP frames against the DHCP Snooping binding table. arp inspection INTERFACE VLAN
