Netband Project - Dynamic Arp Inspection
From Teknologisk videncenter
<accesscontrol>NetBand</accesscontrol> This page is part of the Netband Project
- Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings using the DHCP snooping table. This capability protects the network from certain man-in-the-middle attacks.
- Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
Configuration
ip arp inspection vlan 3,5
Verification
HQSW1#sh ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
3 Enabled Active
5 Enabled Active
Vlan ACL Logging DHCP Logging
---- ----------- ------------
3 Deny Deny
5 Deny Deny
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
3 123 197 197 0
5 15 0 0 0
Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- -------------------
3 123 0 0
5 15 0 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
3 0 0 0
5 0 0 0