Security Commands
322
ProSAFE M7100 Managed Switches
Dynamic ARP Inspection Commands
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets.
DAI prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic
for other stations by poisoning the ARP caches of its unsuspecting neighbors. The miscreant
sends ARP requests or responses mapping another station’s IP address to its own MAC address.
DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and builds a
binding database of v
alid {MAC address, IP address, VLAN, and interface} tuples.
When DAI is enabled, the switch drops ARP packets whose sender MAC address and sender IP
address do not match an entry in the DHCP snooping bindings database. You can optionally
configure additional ARP packet validation.
ip arp inspection vlan
Use this command to enable Dynamic ARP Inspection on a list of comma-separated VLAN ranges.
no ip arp inspection vlan
Use this command to disable Dynamic ARP Inspection on a list of comma-separated VLAN ranges.
ip arp inspection validate
Use this command to enable additional validation checks like source MAC address validation,
destination MAC address validation, and IP address validation on the received ARP one command
enables source MAC address validation and destination MAC address validation, and a second
command enables IP address validation only, the source MAC address validation and destination
MAC address validation are disabled as a result of the second command.
Default disabled
Format ip arp inspection vlan <vlan-list>
Mode Global Config
Format no ip arp inspection vlan <vlan-list>
Mode Global Config
Default disabled
Format ip arp inspection validate {[src-mac] [dst-mac] [ip]}
Mode Global Config
To Next Page
Loading...
Need help?
General