Netgear M5300-28G-POE+ (GSM7228PSv1h2) - 12-Port Managed Gigabit Switch Softwarehandbuch
Switching Commands
535
M5300, M6100, and M7100 Series ProSAFE Managed Switches
Dynamic ARP Inspection Commands
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP
packets. DAI prevents a class of man-in-the-middle attacks, where an unfriendly station
intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting
neighbors. The miscreant sends ARP requests or responses mapping another station’s IP
address to its own MAC address.
packets. DAI prevents a class of man-in-the-middle attacks, where an unfriendly station
intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting
neighbors. The miscreant sends ARP requests or responses mapping another station’s IP
address to its own MAC address.
DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and
builds a binding database of valid MAC addresses, IP addresses, VLANs, and interfaces.
builds a binding database of valid MAC addresses, IP addresses, VLANs, and interfaces.
When DAI is enabled, the switch drops ARP packets whose sender MAC address and
sender IP address do not match an entry in the DHCP snooping bindings database. You can
optionally configure additional ARP packet validation.
sender IP address do not match an entry in the DHCP snooping bindings database. You can
optionally configure additional ARP packet validation.
ip arp inspection vlan
Use this command to enable Dynamic ARP Inspection on a list of comma-separated VLAN
ranges.
ranges.
no ip arp inspection vlan
Use this command to disable Dynamic ARP Inspection on a list of comma-separated VLAN
ranges.
ranges.
ip arp inspection validate
Use this command to enable additional validation checks like source-mac (src-mac)
validation, destination-mac (dst-mac) validation, and IP address validation on the received
validation, destination-mac (dst-mac) validation, and IP address validation on the received
ARP packets. Each command overrides the configuration of the previous command. For
example, if a command enables source-mac and destination-mac validations, and a second
command enables IP validation only, the source-mac and destination-mac validations are
disabled as a result of the second command.
command enables IP validation only, the source-mac and destination-mac validations are
disabled as a result of the second command.
Default
disabled
Format
ip arp inspection vlan vlan-list
Mode
Global Config
Format
no ip arp inspection vlan vlan-list
Mode
Global Config
Default
disabled
Format
ip arp inspection validate {[src-mac] [dst-mac] [ip]}
Mode
Global Config