Difference between revisions of "Netband Project - Dynamic Arp Inspection"

From Teknologisk videncenter
Jump to: navigation, search
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<accesscontrol>NetBand</accesscontrol>
+
=Dynamic Arp Inspection (DAI)=
 
This page is part of the [[Netband_Project|Netband Project]]
 
This page is part of the [[Netband_Project|Netband Project]]
  
Line 6: Line 6:
  
 
==Configuration==
 
==Configuration==
 +
-------
 +
'''[[Netband Project - DHCP Snooping | DHCP snooping]] must be configured correctly, for Dynamic arp inspection to work properly.'''
 +
-------
 
<pre>
 
<pre>
 
ip arp inspection vlan 3,5
 
ip arp inspection vlan 3,5
 
</pre>
 
</pre>
 
  
 
==Verification==
 
==Verification==
Line 46: Line 48:
  
 
==External Links==
 
==External Links==
 +
[http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swdynarp.html C3560 configuration guide]<br>
 +
[[Category:network]][[Category:CCNP]][[category:students]][[Category:CCNP4]]

Latest revision as of 07:37, 13 May 2009

Dynamic Arp Inspection (DAI)

This page is part of the Netband Project

  • Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings using the DHCP snooping table. This capability protects the network from certain man-in-the-middle attacks.
  • Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.

Configuration

DHCP snooping must be configured correctly, for Dynamic arp inspection to work properly. 

ip arp inspection vlan 3,5

Verification

HQSW1#sh ip arp inspection

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
    3     Enabled          Active
    5     Enabled          Active

 Vlan     ACL Logging      DHCP Logging
 ----     -----------      ------------
    3     Deny             Deny
    5     Deny             Deny

 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
    3            123            197            197              0
    5             15              0              0              0

 Vlan   DHCP Permits    ACL Permits   Source MAC Failures
 ----   ------------    -----------   -------------------
    3            123              0                     0
    5             15              0                     0

 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
    3                   0                        0                       0
    5                   0                        0                       0

External Links

C3560 configuration guide

Retrieved from "http://mars.merhot.dk/w/index.php?title=Netband_Project_-_Dynamic_Arp_Inspection&oldid=5673"