Difference between revisions of "Netband Project - Dynamic Arp Inspection"

From Teknologisk videncenter
Jump to: navigation, search
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<accesscontrol>NetBand</accesscontrol>
+
=Dynamic Arp Inspection (DAI)=
 
This page is part of the [[Netband_Project|Netband Project]]
 
This page is part of the [[Netband_Project|Netband Project]]
  
Line 5: Line 5:
 
*Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
 
*Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
  
 +
==Configuration==
 +
-------
 +
'''[[Netband Project - DHCP Snooping | DHCP snooping]] must be configured correctly, for Dynamic arp inspection to work properly.'''
 +
-------
 +
<pre>
 +
ip arp inspection vlan 3,5
 +
</pre>
  
 +
==Verification==
 
<pre>
 
<pre>
 +
HQSW1#sh ip arp inspection
 +
 +
Source Mac Validation      : Disabled
 +
Destination Mac Validation : Disabled
 +
IP Address Validation      : Disabled
  
 +
Vlan    Configuration    Operation  ACL Match          Static ACL
 +
----    -------------    ---------  ---------          ----------
 +
    3    Enabled          Active
 +
    5    Enabled          Active
  
 +
Vlan    ACL Logging      DHCP Logging
 +
----    -----------      ------------
 +
    3    Deny            Deny
 +
    5    Deny            Deny
 +
 +
Vlan      Forwarded        Dropped    DHCP Drops      ACL Drops
 +
----      ---------        -------    ----------      ---------
 +
    3            123            197            197              0
 +
    5            15              0              0              0
 +
 +
Vlan  DHCP Permits    ACL Permits  Source MAC Failures
 +
----  ------------    -----------  -------------------
 +
    3            123              0                    0
 +
    5            15              0                    0
 +
 +
Vlan  Dest MAC Failures  IP Validation Failures  Invalid Protocol Data
 +
----  -----------------  ----------------------  ---------------------
 +
    3                  0                        0                      0
 +
    5                  0                        0                      0
 
</pre>
 
</pre>
 +
 +
==External Links==
 +
[http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swdynarp.html C3560 configuration guide]<br>
 +
[[Category:network]][[Category:CCNP]][[category:students]][[Category:CCNP4]]

Latest revision as of 06:37, 13 May 2009

Dynamic Arp Inspection (DAI)

This page is part of the Netband Project

  • Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings using the DHCP snooping table. This capability protects the network from certain man-in-the-middle attacks.
  • Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.

Configuration


DHCP snooping must be configured correctly, for Dynamic arp inspection to work properly.


ip arp inspection vlan 3,5

Verification

HQSW1#sh ip arp inspection

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
    3     Enabled          Active
    5     Enabled          Active

 Vlan     ACL Logging      DHCP Logging
 ----     -----------      ------------
    3     Deny             Deny
    5     Deny             Deny

 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
    3            123            197            197              0
    5             15              0              0              0

 Vlan   DHCP Permits    ACL Permits   Source MAC Failures
 ----   ------------    -----------   -------------------
    3            123              0                     0
    5             15              0                     0

 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
    3                   0                        0                       0
    5                   0                        0                       0

External Links

C3560 configuration guide