Netband Project - Dynamic Arp Inspection
From Teknologisk videncenter
Dynamic Arp Inspection (DAI)
This page is part of the Netband Project
- Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings using the DHCP snooping table. This capability protects the network from certain man-in-the-middle attacks.
- Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
Configuration
DHCP snooping must be configured correctly, for Dynamic arp inspection to work properly.
ip arp inspection vlan 3,5
Verification
HQSW1#sh ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
3 Enabled Active
5 Enabled Active
Vlan ACL Logging DHCP Logging
---- ----------- ------------
3 Deny Deny
5 Deny Deny
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
3 123 197 197 0
5 15 0 0 0
Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- -------------------
3 123 0 0
5 15 0 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
3 0 0 0
5 0 0 0