Difference between revisions of "Netband Project - Dynamic Arp Inspection"

From Teknologisk videncenter
Jump to: navigation, search
Line 5: Line 5:
 
*Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
 
*Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
  
 +
==Configuration==
 +
<pre>
 +
ip arp inspection vlan 3,5
 +
</pre>
  
 +
 +
==Verification==
 
<pre>
 
<pre>
ip arp inspection vlan 3,5
+
HQSW1#sh ip arp inspection
 +
 
 +
Source Mac Validation      : Disabled
 +
Destination Mac Validation : Disabled
 +
IP Address Validation      : Disabled
 +
 
 +
Vlan    Configuration    Operation  ACL Match          Static ACL
 +
----    -------------    ---------  ---------          ----------
 +
    3     Enabled          Active
 +
    5     Enabled          Active
 +
 
 +
Vlan    ACL Logging      DHCP Logging
 +
----    -----------      ------------
 +
    3    Deny            Deny
 +
    5    Deny            Deny
 +
 
 +
Vlan      Forwarded        Dropped    DHCP Drops      ACL Drops
 +
----      ---------        -------    ----------      ---------
 +
    3            123            197            197              0
 +
    5            15              0              0              0
 +
 
 +
Vlan  DHCP Permits    ACL Permits  Source MAC Failures
 +
----  ------------    -----------  -------------------
 +
    3            123              0                    0
 +
    5            15              0                    0
 +
 
 +
Vlan  Dest MAC Failures  IP Validation Failures  Invalid Protocol Data
 +
----  -----------------  ----------------------  ---------------------
 +
    3                  0                        0                      0
 +
    5                  0                        0                      0
 
</pre>
 
</pre>

Revision as of 14:55, 14 April 2009

<accesscontrol>NetBand</accesscontrol> This page is part of the Netband Project

  • Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings using the DHCP snooping table. This capability protects the network from certain man-in-the-middle attacks.
  • Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.

Configuration

ip arp inspection vlan 3,5


Verification

HQSW1#sh ip arp inspection

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
    3     Enabled          Active
    5     Enabled          Active

 Vlan     ACL Logging      DHCP Logging
 ----     -----------      ------------
    3     Deny             Deny
    5     Deny             Deny

 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
    3            123            197            197              0
    5             15              0              0              0

 Vlan   DHCP Permits    ACL Permits   Source MAC Failures
 ----   ------------    -----------   -------------------
    3            123              0                     0
    5             15              0                     0

 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
    3                   0                        0                       0
    5                   0                        0                       0
Retrieved from "http://mars.merhot.dk/w/index.php?title=Netband_Project_-_Dynamic_Arp_Inspection&oldid=3645"