Once DAI is enabled or set to inspection-only, ARP packet inspection occurs. On those ports, all ARP traffic is intercepted and the MAC and IP address of the ARP is verified against the entry in the MAC to IP address binding table. Actions may be taken against the user if the violation threshold has been crossed for the port, as configured by the port class.
Similarly, if IP source guard is enabled or configured for inspection-only, IP traffic is intercepted and verified against the binding table. Once a connection is created, that traffic won't be inspected again unless the source IP address associated with the MAC address changes. As IP address changes are detected and configured thresholds for that value are crossed, the anti-spoofing feature will take action, depending on the configuration of the class of port with which the user is associated. These actions will be to SYSLOG the event, send an SNMP notification, or perform the quarantine action. The quarantine action is configurable through the policy and multiauth quarantine controls. Extreme Networks highly recommends that you use quarantine policies to classify the user traffic upon violation hits.
If the duplicate IP detection feature is enabled, when new MAC to IP bindings are created or current bindings are changed, an IP address lookup is run on the bindings database to verify that the IP is not currently in use. If it is in use, a SYSLOG message and trap are sent.
Print
this page
Email this topic
Feedback
View PDF
Download EPUB