Dynamic ARP Inspection Commands 341
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and
malicious ARP packets. The feature prevents a class of man-in-the-middle
attacks, where an unfriendly station intercepts traffic for other stations by
poisoning the ARP caches of its neighbors. The miscreant sends ARP requests
or responses mapping another station IP address to its own MAC address.
DAI drops ARP packets whose sender MAC address and sender IP address do
not match an entry in the DHCP Snooping bindings database.
Commands in this Chapter
This chapter explains the following commands:
arp access-list
Use the arp access-list command to create an ARP ACL. It will place the user
in ARP ACL Configuration mode. Use the “no” form of this command to
delete an ARP ACL.
arp access-list
no arp access-list
— A valid ARP ACL name (Range: 1–31 characters).
arp access-list ip arp inspection vlan
clear ip arp inspection statistics permit ip host mac host
ip arp inspection filter show arp access-list
ip arp inspection limit show ip arp inspection
ip arp inspection trust show ip arp inspection vlan
ip arp inspection validate
2CSPC4.XModular-SWUM200.book Page 341 Thursday, March 10, 2011 11:18 AM