Dynamic ARP Inspection (DAI) is a method of providing
protection against address resolution protocol (ARP)
spoofing attacks. It intercepts, logs, and discards ARP
packets with invalid IP-to-MAC address bindings. This
capability protects the network from certain
man-in-the-middle attacks.
This grouping defines Dynamic ARP inspection configuration
parameters
ip-source-guard-config
ip-source-guard
IP source guard (IPSG) is a security feature that filters
traffic based on the DHCP snooping binding database and on
manually configured IP source bindings in order to restrict
IP traffic on non-routed Layer 2 interfaces.
The IPSG feature provides source IP address filtering on a
Layer 2 port, to prevent a malicious hosts from manipulating
a legitimate host by assuming the legitimate host's IP
address. This feature uses dynamic DHCP snooping and static IP
source binding to match IP addresses to hosts.
This grouping defines IP source guard configuration
parameters.
mac-aging-config
aging
A MAC address in the MAC table is considered valid only for
the duration of the MAC address aging time. When the time
expires, the relevant MAC entries are repopulated. When the
MAC aging time is configured only under a bridge domain, all
the pseudowires and attachment circuits in the bridge domain
use that configured MAC aging time.
A bridge forwards, floods, or drops packets based on the
bridge table. The bridge table maintains both static entries
and dynamic entries. Static entries are entered by the network
manager or by the bridge itself. Dynamic entries are entered
by the bridge learning process. A dynamic entry is
automatically removed after a specified length of aging time,
from the time the entry was created or last updated.
This grouping defines MAC aging configurations for bridge
domain and its members.
mac-event-action-config
port-down
This grouping defines configuration of events that affects
MAC table
mac-flooding-config
flooding
Ethernet services require that frames that are sent to
broadcast addresses and to unknown destination addresses be
flooded to all ports. To obtain flooding within VPLS broadcast
models, all unknown unicast, broadcast, and multicast frames
are flooded over the corresponding pseudowires and to all
attachment circuits. Therefore, a PE must replicate packets
across both attachment circuits and pseudowires.
This grouping defines flooding configurations for bridge
domain and its members.
mac-flooding-state
flooding
This grouping defines flooding operational state for bridge
domain and its members.
mac-learning-config
learning-enabled limit
When a frame arrives on a bridge port (for example,
pseudowire or attachment circuit) and the source MAC address
is unknown to the receiving PE router, the source MAC address
is associated with the pseudowire or attachment circuit.
Outbound frames to the MAC address are forwarded to the
appropriate pseudowire or attachment circuit.
This grouping defines MAC learning configurations for bridge
domain and its members.
mac-secure-config
secure
This grouping defines MAC secure configuration.
snooping-profile-config
igmp-snooping mld-snooping dhcp-ipv4-snooping
This grouping defines snooping profile configuration for
Internet Group Management Protocol (IGMP), Multicast Listener
Discovery (MLD) and Dynamic Host Configuration Protocol
(DHCP)