Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S6000 ON

271

272

273

274

275

276

277

278

279

280

Internet 10.1.1.254 - 00:00:4d:69:e8:f2 Te 1/5/1 Vl 10 CP

Dell#

To see how many valid and invalid ARP packets have been processed, use the show arp inspection statistics

command.

Dell#show arp inspection statistics

Dynamic ARP Inspection (DAI) Statistics

---------------------------------------

Valid ARP Requests : 0

Valid ARP Replies : 1000

Invalid ARP Requests : 1000

Invalid ARP Replies : 0

Dell#

Bypassing the ARP Inspection

You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in multi-switch

environments.

ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by default.

To bypass the ARP inspection, use the following command.

• Specify an interface as trusted so that ARPs are not validated against the binding table.

INTERFACE mode

arp inspection-trust

Dynamic ARP inspection is supported on Layer 2 and Layer 3.

Source Address Validation

Using the DHCP binding table, Dell Networking OS can perform three types of source address validation (SAV).

Table 25. Three Types of Source Address Validation

Source Address Validation Description

IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have

been validated against the DHCP binding table.

DHCP MAC Source Address Validation Verifies a DHCP packet’s source hardware address matches

the client hardware address field (CHADDR) in the payload.

IP+MAC Source Address Validation Verifies that the IP source address and MAC source address

are a legitimate pair.

Enabling IP Source Address Validation

IP source address validation (SAV) prevents IP spoofing by forwarding only IP packets that have been validated against the

DHCP binding table.

A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker. For example, using

ARP spoofing, an attacker can assume a legitimate client’s identity and receive traffic addressed to it. Then the attacker can

spoof the client’s IP address to interact with other clients.

The DHCP binding table associates addresses the DHCP servers assign with the port or the port channel interface on which the

requesting client is attached and the VLAN the client belongs to. When you enable IP source address validation on a port, the

system verifies that the source IP address is one that is associated with the incoming port and optionally that the client belongs

to the permissible VLAN. If an attacker is impostering as a legitimate client, the source address appears on the wrong ingress

Dynamic Host Configuration Protocol (DHCP) 280