Netgear M5300-28G-POE+ (GSM7228PSv1h2) - 12-Port Managed Gigabit Switch Softwarehandbuch

Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP 
packets. DAI prevents a class of man-in-the-middle attacks, where an unfriendly station 
intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting 
neighbors. The miscreant sends ARP requests or responses mapping another station’s IP 
address to its own MAC address.

DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and 
builds a binding database of valid MAC addresses, IP addresses, VLANs, and interfaces.

When DAI is enabled, the switch drops ARP packets whose sender MAC address and 
sender IP address do not match an entry in the DHCP snooping bindings database. You can 
optionally configure additional ARP packet validation.

Use this command to enable Dynamic ARP Inspection on a list of comma-separated VLAN 
ranges.

Use this command to disable Dynamic ARP Inspection on a list of comma-separated VLAN 
ranges.

Use this command to enable additional validation checks like source-mac (src-mac) 
validation, destination-mac (dst-mac) validation, and IP address validation on the received 

ARP packets. Each command overrides the configuration of the previous command. For 

example, if a command enables source-mac and destination-mac validations, and a second 
command enables IP validation only, the source-mac and destination-mac validations are 
disabled as a result of the second command.

Default

disabled

Format

ip arp inspection vlan vlan-list

Mode

Global Config

Format

no ip arp inspection vlan vlan-list

Mode

Global Config

Default

disabled

Format

ip arp inspection validate {[src-mac] [dst-mac] [ip]}

Mode

Global Config