Users Guide
To see how many valid and invalid ARP packets have been processed, use the show arp inspection statistics command.
Dell#show arp inspection statistics
Dynamic ARP Inspection (DAI) Statistics
---------------------------------------
Valid ARP Requests : 0
Valid ARP Replies : 1000
Invalid ARP Requests : 1000
Invalid ARP Replies : 0
Dell#
Bypassing the ARP Inspection
You can congure a port to skip ARP inspection by dening the interface as trusted, which is useful in multi-switch environments.
ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by default.
To bypass the ARP inspection, use the following command.
• Specify an interface as trusted so that ARPs are not validated against the binding table.
INTERFACE mode
arp inspection-trust
Dynamic ARP inspection is supported on Layer 2 and Layer 3.
Source Address Validation
Using the DHCP binding table, Dell Networking OS can perform three types of source address validation (SAV).
Table 15. Three Types of Source Address Validation
Source Address Validation Description
IP Source Address Validation Prevents IP spoong by forwarding only IP packets that have been
validated against the DHCP binding table.
DHCP MAC Source Address Validation Veries a DHCP packet’s source hardware address matches the
client hardware address eld (CHADDR) in the payload.
IP+MAC Source Address Validation Veries that the IP source address and MAC source address are a
legitimate pair.
Enabling IP Source Address Validation
IP source address validation (SAV) prevents IP spoong by forwarding only IP packets that have been validated against the DHCP binding
table.
A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker. For example, using ARP spoong,
an attacker can assume a legitimate client’s identity and receive trac addressed to it. Then the attacker can spoof the client’s IP address
to interact with other clients.
The DHCP binding table associates addresses the DHCP servers assign with the port or the port channel interface on which the requesting
client is attached and the VLAN the client belongs to. When you enable IP source address validation on a port, the system veries that the
source IP address is one that is associated with the incoming port and optionally that the client belongs to the permissible VLAN. If an
attacker is impostering as a legitimate client, the source address appears on the wrong ingress port and the system drops the packet. If the
IP address is fake, the address is not on the list of permissible addresses for the port and the packet is dropped. Similarly, if the IP address
does not belong to the permissible VLAN, the packet is dropped.
To enable IP source address validation, use the following command.
246
Dynamic Host Conguration Protocol (DHCP)