Cisco Systems WSC4500X16SFP Manual De Usuario

C H A P T E R

32-1

Software Configuration Guide—Release 12.2(25)SG

OL-7659-03

Understanding and Configuring Dynamic ARP
Inspection

This chapter describes how to configure Dynamic ARP Inspection (DAI) on the Catalyst 4500 series
switch.

This chapter includes the following major sections:

•

Overview of Dynamic ARP Inspection, page 32-1

•

Configuring Dynamic ARP Inspection, page 32-5

Note

For complete syntax and usage information for the switch commands used in this chapter, refer to the
Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm.

Overview of Dynamic ARP Inspection

Dynamic ARP Inspection (DAI) is a security feature that validates Address Resolution Protocol (ARP)
packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with
invalid MAC-IP pairs. This capability protects the network from certain “man-in-the-middle” attacks.

This section contains the following subsections:

•

ARP Cache Poisoning, page 32-2

•

Purpose of Dynamic ARP Inspection, page 32-2

•

Interface Trust State, Security Coverage and Network Configuration, page 32-3

•

Relative Priority of Static Bindings and DHCP Snooping Entries, page 32-4

•

Logging of Dropped Packets, page 32-4

•