CHAPTER
34-1
Software Configuration Guide—Release 12.2(25)EW
OL-6696-01
34
Understanding and Configuring Dynamic ARP
Inspection
This chapter describes how to configure Dynamic ARP Inspection (DAI) on the Catalyst 4500 series
switch.
This chapter includes the following major sections:
• Overview of Dynamic ARP Inspection, page 34-1
• Configuring Dynamic ARP Inspection, page 34-5
Note For complete syntax and usage information for the switch commands used in this chapter, refer to the
Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm.
Overview of Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a security feature that validates Address Resolution Protocol (ARP)
packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with
invalid MAC address to IP address bindings. This capability protects the network from certain
“man-in-the-middle” attacks.
This section contains the following subsections:
• ARP Cache Poisoning, page 34-2
• Dynamic ARP Inspection, page 34-2
• Interface Trust state, Security Coverage and Network Configuration, page 34-3
• Relative Priority of Static Bindings and DHCP Snooping Entries, page 34-4
• Logging of Denied Packets, page 34-4
• Rate Limiting of ARP Packets, page 34-4
• Port Channels and Their Behavior, page 34-4
To Next Page
Loading...
Need help?
General
