Information About Delayless IPDT
The Delayless IP Device Tracking (IPDT) feature allows faster processing of ARP packets in a network with IPDT enabled. Delayless IPDT is supported on all IE3x00 switches. Delayless IPDT does not require any configuration other than enabling IPDT, and there are no specific commands to verify Delayless IPDT.
IPDT uses the DHCP snooping and ARP snooping features to build a database of IP-to-MAC binding present in the switch. Without the Delayless IPDT feature, when IPDT is configured, all ARP packets are punted to the CPU for processing and then the packets are forwarded to the final destination from the CPU. This delays ARP delivery, which could cause communication errors between hosts or stop production.
With the Delayless IPDT feature, when IPDT is configured, the original ARP traffic is forwarded through hardware and only a copy of the ARP packets are sent to software for IP-MAC binding creation. This reduces the ARP delivery time. Delayless IPDT does not change IPv6 neighbor discovery behavior.
Delayless IPDT does not work if DAI (Dynamic ARP inspection) is enabled. DAI is a security feature that provides a mechanism to filter ARP requests and responses to prevent layer 2 attacks such as ARP cache poisoning. Filtering is done based on the DHCP snooping binding database or user configured ARP Access Control Lists (ACLs).
The following table summarizes how ARP packets are processed based on the IPDT and DAI configuration.
Configured Feature | ARP Packet Processing | ||
---|---|---|---|
Only IPDT enabled |
ARP packets are forwarded through hardware and a copy is punted to CPU (Delayless IPDT).
|
||
Only DAI enabled |
ARP packets are punted to CPU for processing (no Delayless IPDT). With DAI enabled, ARP packets are delayed slightly as the CPU processes. |
||
IPDT and DAI enabled |
ARP packets are punted to CPU for processing (no Delayless IPDT). |