Difference between revisions of "Netband Project - Dynamic Arp Inspection"
From Teknologisk videncenter
(→External Links) |
|||
| Line 46: | Line 46: | ||
==External Links== | ==External Links== | ||
| + | [http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swdynarp.html C3560 configuration guide]<br> | ||
Revision as of 14:57, 14 April 2009
<accesscontrol>NetBand</accesscontrol> This page is part of the Netband Project
- Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings using the DHCP snooping table. This capability protects the network from certain man-in-the-middle attacks.
- Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
Configuration
ip arp inspection vlan 3,5
Verification
HQSW1#sh ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
3 Enabled Active
5 Enabled Active
Vlan ACL Logging DHCP Logging
---- ----------- ------------
3 Deny Deny
5 Deny Deny
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
3 123 197 197 0
5 15 0 0 0
Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- -------------------
3 123 0 0
5 15 0 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
3 0 0 0
5 0 0 0