Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
41424344454647484950
46
OL-11615-01
Step 5 Optionally, configure a static IP binding on the port. Use the ip verify source vlan dhcp-snooping
port-security command:
Switch(config)# ip source binding
mac-address
vlan
vlan-id
ip-address
interface
interface-name
This example shows how to enable per-Layer 2-port IP source guard on VLANs 10 through 20:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10 20
Switch(config)# interface fa6/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 10
Switch(config-if)# switchport trunk allowed vlan 11-20
Switch(config-if)# no ip dhcp snooping trust
Switch(config-if)# ip verify source vlan dhcp-snooping
Switch(config)# end
For more information on IP Source Guard on Catalyst 4500 Series switches running Cisco IOS, refer to
the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_31s/conf/dhcp.htm#wp1083306
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI) is a security feature that is available on Catalyst 6500 Series switches
running Cisco IOS software or Catalyst OS, and on Catalyst 4500 Series switches running Cisco IOS
software. Dynamic ARP inspection helps prevent ARP poisoning and other ARP-based attacks by
intercepting all ARP requests and responses, and by verifying their authenticity before updating the
switch's local ARP cache or forwarding the packets to the intended destinations.
Note In Catalyst 6500 Series switches, Dynamic ARP requires Supervisor 2, Supervisor 32, or Supervisor
720.
The DAI verification consists primarily of intercepting each ARP packet and comparing its MAC address
and IP address information against the MAC-IP bindings contained in a trusted binding table. DAI
discards any ARP packets that are inconsistent with the information contained in the binding table. The
trusted binding table is dynamically populated by DHCP snooping when this feature is enabled. In
addition, DAI allows the configuration of static ARP ACLs to support systems that use statically
configured IP addresses and that do not rely on DHCP.
DAI can also be configured to drop ARP packets with invalid IP addresses, such as 0.0.0.0 or
255.255.255.255, and ARP packets containing MAC addresses in their payloads that do not match the
addresses specified the Ethernet headers.
Another important feature of DAI is that it implements a configurable rate-limit function that controls
the number of incoming ARP packets. This function is particularly important because all validation
checks are performed by the CPU, and without a rate-limiter, there could be a DoS condition.