Chapter 5: Switching Commands 499
Dynamic ARP Inspection Commands
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and
malicious ARP packets. DAI prevents a class of man-in-the-middle attacks,
where an unfriendly station intercepts traffic for other stations by poisoning the
ARP caches of its unsuspecting neighbors. The miscreant sends ARP requests or
responses mapping another station’s IP address to its own MAC address.
DAI relies on DHCP snooping. DHCP snooping listens to DHCP message
exchanges and builds a binding database of valid
{MAC address, IP address,
VLAN, and interface
} tuples.
When DAI is enabled, the switch drops ARP packets whose sender MAC address
and sender IP address do not match an entry in the DHCP snooping bindings
database. You can optionally configure additional ARP packet validation.
ip arp inspection
vlan
Use this command to enable Dynamic ARP Inspection on a list of comma-
separated VLAN ranges.
no ip arp inspection
vlan
Use this command to disable Dynamic ARP Inspection on a list of comma-
separated VLAN ranges.
ip arp inspection
validate
Use this command to enable additional validation checks like source-mac
validation, destination-mac validation, and ip address validation on the received
ARP packets. Each command overrides the configuration of the previous
command. For example, if a command enables src-mac and dst-mac validations,
and a second command enables IP validation only, the src-mac and dst-mac
validations are disabled as a result of the second command.
Default
disabled
Format
ip arp inspection vlan vlan-list
Mode Global Config
Format
no ip arp inspection vlan vlan-list
Mode Global Config
To Next Page
Loading...
