Service Manual

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4048-ON

341

342

343

344

345

346

347

348

349

350

Invalid ARP Replies : 0

Dell#

Bypassing the ARP Inspection

You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in

multi-switch environments.

ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by

default.

To bypass the ARP inspection, use the following command.

• Specify an interface as trusted so that ARPs are not validated against the binding table.

INTERFACE mode

arp inspection-trust

Dell Networking OS Behavior: Introduced in Dell Networking OS version 8.2.1.0, DAI was available for

Layer 3 only. However, Dell Networking OS version 8.2.1.1 extends DAI to Layer 2.

Source Address Validation

Using the DHCP binding table, Dell Networking OS can perform three types of source address validation

(SAV).

Table 22. Three Types of Source Address Validation

Source Address Validation Description

IP Source Address Validation Prevents IP spoofing by forwarding only IP packets

that have been validated against the DHCP binding

table.

DHCP MAC Source Address Validation Verifies a DHCP packet’s source hardware address

matches the client hardware address field

(CHADDR) in the payload.

IP+MAC Source Address Validation Verifies that the IP source address and MAC source

address are a legitimate pair.

Enabling IP Source Address Validation

IP source address validation (SAV) prevents IP spoofing by forwarding only IP packets that have been

validated against the DHCP binding table.

A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker.

For example, using ARP spoofing, an attacker can assume a legitimate client’s identity and receive traffic

addressed to it. Then the attacker can spoof the client’s IP address to interact with other clients.

The DHCP binding table associates addresses the DHCP servers assign with the port or the port channel

interface on which the requesting client is attached and the VLAN the client belongs to. When you enable

IP source address validation on a port, the system verifies that the source IP address is one that is

associated with the incoming port and optionally that the client belongs to the permissible VLAN. If an

attacker is impostering as a legitimate client, the source address appears on the wrong ingress port and

the system drops the packet. If the IP address is fake, the address is not on the list of permissible

addresses for the port and the packet is dropped. Similarly, if the IP address does not belong to the

permissible VLAN, the packet is dropped.

344

Dynamic Host Configuration Protocol (DHCP)