Netgear M5300-28G-POE+ (GSM7228PSv1h2) - 12-Port Managed Gigabit Switch Administrator's Guide
Security Management
382
Managed Switches
CLI: Configure Dynamic ARP Inspection
1.
Enable DHCP snooping globally.
(Netgear Switch) (Config)# ip dhcp snooping
2.
Enable DHCP snooping in a VLAN.
(Netgear Switch) (Config)# ip dhcp snooping vlan 1
3.
Configure the port through which the DHCP server is reached as trusted.
(Netgear Switch) (Config)# interface 1/0/1
(Netgear Switch) (Interface 1/0/1)# ip dhcp snooping trust
4.
View the DHCP Snooping Binding table.
(GSM7328S) #show ip dhcp snooping binding
Total number of bindings: 1
MAC Address
IP Address
VLAN
Interface
Type
Lease (Secs)
----------------- --------------
---- ----------
------- -----------
00:16:76:A7:88:CC
192.168.10.86
1
1/0/2
DYNAMIC
86400
5.
Enable ARP inspection in VLAN 1.
(Netgear Switch) (Config)# ip arp inspection vlan 1
Now all ARP packets received on ports that are members of the VLAN are copied to the
CPU for ARP inspection. If there are trusted ports, you can configure them as trusted in
the next step. ARP packets received on trusted ports are not copied to the CPU.
CPU for ARP inspection. If there are trusted ports, you can configure them as trusted in
the next step. ARP packets received on trusted ports are not copied to the CPU.
6.
Configure port 1/0/1 as trusted.
(Netgear Switch) (Config)# interface 1/0/1
(Netgear Switch) (Interface 1/0/1)# ip arp inspection trust
Now, ARP packets from the DHCP client go through because a DHCP snooping entry exists.
However, ARP packets from the static client are dropped. For information about how to
prevent ARP packets from static clients to be dropped, see
However, ARP packets from the static client are dropped. For information about how to
prevent ARP packets from static clients to be dropped, see
386.