beautypg.com

17 dynamic arp inspection commands, 1 ip arp inspection vlan, 1 no ip arp inspection vlan – Kontron AT8404 CLI User Manual

Page 124: 2 ip arp inspection validate, 1 no ip arp inspection validate, 3 ip arp inspection vlan logging, 17 dynamic arp inspection commands - 88, Ip arp inspection vlan - 88, Ip arp inspection validate - 88, Ip arp inspection vlan logging - 88

background image

Switching Commands

AT8404

AT8404 CLI Reference Manual

Page 2 - 88

2.17

Dynamic ARP Inspection Commands

Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI prevents a
class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other stations by poisoning the
ARP caches of its unsuspecting neighbors. The miscreant sends ARP requests or responses mapping another
station’s IP address to its own MAC address.

DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and builds a binding database
of valid {MAC address, IP address, VLAN, and interface} tuples.

When DAI is enabled, the switch drops ARP packets whose sender MAC address and sender IP address do not
match an entry in the DHCP snooping bindings database. You can optionally configure additional ARP packet
validation.

2.17.1

ip arp inspection vlan

Use this command to enable Dynamic ARP Inspection on a list of comma-separated VLAN ranges.

2.17.1.1

no ip arp inspection vlan

Use this command to disable Dynamic ARP Inspection on a list of comma-separated VLAN ranges.

2.17.2

ip arp inspection validate

Use this command to enable additional validation checks like source-mac validation, destination-mac validation, and
ip address validation on the received ARP packets. Each command overrides the configuration of the previous
command. For example, if a command enables src-mac and dst-mac validations, and a second command enables
IP validation only, the src-mac and dst-mac validations are disabled as a result of the second command.

2.17.2.1

no ip arp inspection validate

Use this command to disable the additional validation checks on the received ARP packets.

2.17.3

ip arp inspection vlan logging

Use this command to enable logging of invalid ARP packets on a list of comma-separated VLAN ranges.

Default

disabled

Format

ip arp inspection vlan vlan-list

Mode

Global Config

Format

no ip arp inspection vlan vlan-list

Mode

Global Config

Default

disabled

Format

ip arp inspection validate {[src-mac] [dst-mac] [ip]}

Mode

Global Config

Format

no ip arp inspection validate {[src-mac] [dst-mac] [ip]}

Mode

Global Config

See also other documents in the category Kontron Hardware: