The Delayless IP Device Tracking (IPDT) feature allows faster processing of ARP packets in a network when IPDT is enabled. Delayless IPDT is supported on all IE3x00 switches. Delayless IPDT does not require any configuration other than enabling IPDT, and there are no specific commands to verify Delayless IPDT.

IPDT uses the DHCP snooping and ARP snooping features to build a database of IP-to-MAC binding present in the switch. Without the Delayless IPDT feature, when IPDT is configured, all ARP packets are punted to the CPU for processing and then the packets are forwarded to the final destination from the CPU.

With the Delayless IPDT feature, when IPDT is configured, the original ARP traffic is forwarded through hardware and only a copy of the ARP packets are sent to software for IP-MAC binding creation. This reduces the ARP delivery time. Delayless IPDT does not change IPv6 neighbor discovery behavior.

Delayless IPDT does not work if DAI (Dynamic ARP inspection) is enabled. DAI is a security feature that provides a mechanism to filter ARP requests and responses to prevent layer 2 attacks such as ARP cache poisoning. Filtering is done based on the DHCP snooping binding database or user configured ARP Access Control Lists (ACLs).

Note	When DAI is enabled on the CPU, and if the limitation on ARP packets exceeds, IE3100 drops ARP packets randomly for few seconds.

The following table summarizes how ARP packets are processed based on the IPDT and DAI configuration.

• Delayless IPDT takes effect automatically when an IPDT policy is enabled on at least one interface or VLAN.

  This feature is enabled globally irrespective of which interface or VLAN has an IPDT policy attached.

• Delayless IPDT works in both access and trunk modes.

• Delayless IPDT does not work if the switch has DAI enabled on any VLAN.

• IPDT policy can be attached or detached per interface or VLAN.

The Delayless IPDT feature does not have any specific CLI to configure it. It will be automatically turned on when IPDT is configured and enabled. The following example shows the basic commands for configuring an IPDT policy and attaching it to an interface or VLAN:

configure terminal
device-tracking policy test
 limit address-count <count>
 security-level glean
 tracking enable
exit
interface GigabitEthernet1/5
 device-tracking attach-policy test
 exit
vlan configuration 5
 device-tracking attach-policy test
exit

There are no specific commands to verify Delayless IPDT. You can use the following IPDT show commands to display details about the IPDT database:

• show device-tracking database

• show device-tracking database interface <interfaceid>

• show device-tracking database details

• show device-tracking database vlanid <vlanid>

The following is an example of output for the show device-tracking database interface command:

Switch#show device-tracking database interface GigabitEthernet1/5
portDB has 4 entries for interface Gi1/5, 4 dynamic
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned


    Network Layer Address                    Link Layer Address     Interface  vlan       prlvl      age        state      Time left
ARP 3.1.1.10                                 0000.1100.0004         Gi1/5      30         0005       12s        REACHABLE  297 s
ARP 3.1.1.9                                  0000.1100.0003         Gi1/5      30         0005       17s        REACHABLE  289 s
ARP 3.1.1.8                                  0000.1100.0002         Gi1/5      30         0005       21s        REACHABLE  292 s
ARP 3.1.1.7                                  0000.1100.0001         Gi1/5      30         0005       25s        REACHABLE  276 s