Difference between revisions of "Netband Project - Dynamic Arp Inspection"
From Teknologisk videncenter
(→Configuration) |
|||
(3 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | + | =Dynamic Arp Inspection (DAI)= | |
This page is part of the [[Netband_Project|Netband Project]] | This page is part of the [[Netband_Project|Netband Project]] | ||
Line 7: | Line 7: | ||
==Configuration== | ==Configuration== | ||
------- | ------- | ||
− | '''[[Netband Project - DHCP Snooping | DHCP snooping]] must be configured correctly, for | + | '''[[Netband Project - DHCP Snooping | DHCP snooping]] must be configured correctly, for Dynamic arp inspection to work properly.''' |
------- | ------- | ||
<pre> | <pre> | ||
Line 49: | Line 49: | ||
==External Links== | ==External Links== | ||
[http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swdynarp.html C3560 configuration guide]<br> | [http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swdynarp.html C3560 configuration guide]<br> | ||
+ | [[Category:network]][[Category:CCNP]][[category:students]][[Category:CCNP4]] |
Latest revision as of 06:37, 13 May 2009
Dynamic Arp Inspection (DAI)
This page is part of the Netband Project
- Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings using the DHCP snooping table. This capability protects the network from certain man-in-the-middle attacks.
- Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
Configuration
DHCP snooping must be configured correctly, for Dynamic arp inspection to work properly.
ip arp inspection vlan 3,5
Verification
HQSW1#sh ip arp inspection Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan Configuration Operation ACL Match Static ACL ---- ------------- --------- --------- ---------- 3 Enabled Active 5 Enabled Active Vlan ACL Logging DHCP Logging ---- ----------- ------------ 3 Deny Deny 5 Deny Deny Vlan Forwarded Dropped DHCP Drops ACL Drops ---- --------- ------- ---------- --------- 3 123 197 197 0 5 15 0 0 0 Vlan DHCP Permits ACL Permits Source MAC Failures ---- ------------ ----------- ------------------- 3 123 0 0 5 15 0 0 Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data ---- ----------------- ---------------------- --------------------- 3 0 0 0 5 0 0 0