|
|
|
|
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. The miscreant sends ARP requests or responses mapping another station’s IP address to its own MAC address.
DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and builds a binding database of valid {MAC address, IP address, VLAN, and interface} tuples.
When DAI is enabled, the switch drops ARP packets whose sender MAC address and sender IP address do not match an entry in the DHCP snooping bindings database. You can optionally configure additional ARP packet validation.
Use this command to enable Dynamic ARP Inspection on a list of comma-separated VLAN ranges.
Use this command to disable Dynamic ARP Inspection on a list of comma-separated VLAN ranges.
Use this command to enable additional validation checks like source-mac validation, destination-mac validation, and ip address validation on the received ARP packets. Each command overrides the configuration of the previous comand. For example, if a command enables src-mac and dst-mac validations, and a second command enables IP validation only, the src-mac and dst-mac validations are disabled as a result of the second command.
Use this command to disable the additional validation checks on the received ARP packets.
Use this command to enable logging of invalid ARP packets on a list of comma-separated VLAN ranges.
Use this command to disable logging of invalid ARP packets on a list of comma-separated VLAN ranges.
Use this command to configure an interface or range of interfaces as trusted for Dynamic ARP Inspection.
Use this command to configure an interface as untrusted for Dynamic ARP Inspection.
Use this command to configure the rate limit and burst interval values for an interface or range of interfaces. Configuring none for the limit means the interface is not rate limited for Dynamic ARP Inspections. The maximum pps value shown in the range for the rate option might be more than the hardware allowable limit. Therefore you need to understand the switch performance and configure the maximum rate pps accordingly.
Note: The user interface will accept a rate limit for a trusted interface, but the limit will not be enforced unless the interface is configured to be untrusted.
Use this command to set the rate limit and burst interval values for an interface to the default values of 15 pps and 1 second, respectively.
Use this command to configure the ARP ACL used to filter invalid ARP packets on a list of comma-separated VLAN ranges. If the static keyword is given, packets that do not match a permit statement are dropped without consulting the DHCP snooping bindings.
Use this command to unconfigure the ARP ACL used to filter invalid ARP packets on a list of comma-separated VLAN ranges.
Use this command to create an ARP ACL.
Use this command to delete a configured ARP ACL.
Use this command to configure a rule for a valid IP address and MAC address combination used in ARP packet validation.
Use this command to delete a rule for a valid IP and MAC combination.
Use this command to display the Dynamic ARP Inspection global configuration and configuration on all the VLANs. With the vlan-list argument (i.e. comma separated VLAN ranges), the command displays the global configuration and configuration on all the VLANs in the given VLAN list. The global configuration includes the source mac validation, destination mac validation and invalid IP validation information.
The display parameters for above command are:
Use this command to display the statistics of the ARP packets processed by Dynamic ARP Inspection. Give the vlan-list argument and the command displays the statistics on all DAI-enabled VLANs in that list. Give the single vlan argument and the command displays the statistics on that VLAN. If no argument is included, the command lists a summary of the forwarded and dropped ARP packets.
The display parameters for above command are:
Use this command to reset the statistics for Dynamic ARP Inspection on all VLANs.
Use this command to display the Dynamic ARP Inspection configuration on all the DAI-enabled interfaces. An interface is said to be enabled for DAI if at least one VLAN, that the interface is a member of, is enabled for DAI. Given a unit/slot/port interface argument, the command displays the values for that interface whether the interface is enabled for DAI or not.
The display parameters for above command are:
Use this command to display the configured ARP ACLs with the rules. Giving an ARP ACL name as the argument will display only the rules in that ARP ACL.