Netband Project - Dynamic Arp Inspection
From Teknologisk videncenter
								
												
				<accesscontrol>NetBand</accesscontrol> This page is part of the Netband Project
- Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings using the DHCP snooping table. This capability protects the network from certain man-in-the-middle attacks.
- Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
Configuration
ip arp inspection vlan 3,5
Verification
HQSW1#sh ip arp inspection
Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled
 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
    3     Enabled          Active
    5     Enabled          Active
 Vlan     ACL Logging      DHCP Logging
 ----     -----------      ------------
    3     Deny             Deny
    5     Deny             Deny
 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
    3            123            197            197              0
    5             15              0              0              0
 Vlan   DHCP Permits    ACL Permits   Source MAC Failures
 ----   ------------    -----------   -------------------
    3            123              0                     0
    5             15              0                     0
 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
    3                   0                        0                       0
    5                   0                        0                       0