Reference Guide
Dynamic Host Configuration Protocol (DHCP) | 325
Invalid ARP Replies : 0
FTOS#
Bypass the ARP Inspection
You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in
multi-switch environments. ARPs received on trusted ports bypass validation against the binding table. All
ports are untrusted by default.
Source Address Validation
Using the DHCP binding table, FTOS can perform three types of source address validation (SAV):
• IP Source Address Validation prevents IP spoofing by forwarding only IP packets that have been
validated against the DHCP binding table.
• DHCP MAC Source Address Validation verifies a DHCP packet’s source hardware address matches
the client hardware address field (CHADDR) in the payload.
• IP+MAC Source Address Validation verifies that the IP source address and MAC source address are a
legitimate pair.
IP Source Address Validation
IP Source Address Validation (SAV) prevents IP spoofing by forwarding only IP packets that have been
validated against the DHCP binding table. A spoofed IP packet is one in which the IP source address is
strategically chosen to disguise the attacker. For example, using ARP spoofing an attacker can assume a
legitimate client’s identity and receive traffic addressed to it. Then the attacker can spoof the client’s IP
address to interact with other clients.
Task Command Syntax Command Mode
Specify an interface as trusted so that ARPs are not
validated against the binding table.
arp inspection-trust INTERFACE
FTOS Behavior: Introduced in FTOS version 8.2.1.0, Dynamic ARP Inspection (DAI) was available for
Layer 3 only. FTOS version 8.2.1.1 extends DAI to Layer 2.