Command Reference Guide
Dynamic ARP Inspection Commands
CLI Command Reference
September 2014 Page 413
HP Moonshot Switch Module CLI Command Reference
Dynamic ARP Inspection Commands
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI prevents
a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other stations by
poisoning the ARP caches of its unsuspecting neighbors. The miscreant sends ARP requests or responses
mapping another station’s IP address to its own MAC address.
DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and builds a binding database
of valid
{MAC address, IP address, VLAN, and interface} tuples.
When DAI is enabled, the switch drops ARP packets whose sender MAC address and sender IP address do not
match an entry in the DHCP snooping bindings database. You can optionally configure additional ARP packet
validation.
ip arp inspection vlan
Use this command to enable Dynamic ARP Inspection on a list of comma-separated VLAN ranges.
no ip arp inspection vlan
Use this command to disable Dynamic ARP Inspection on a list of comma-separated VLAN ranges.
ip arp inspection validate
Use this command to enable additional validation checks like source-mac validation, destination-mac
validation, and IP address validation on the received ARP packets. Each command overrides the configuration
of the previous command. For example, if a command enables src-mac and dst-mac validations, and a second
command enables IP validation only, the src-mac and dst-mac validations are disabled as a result of the second
command.
Default
disabled
Format
ip arp inspection vlan vlan-list
Mode Global Config
Format
no ip arp inspection vlan vlan-list
Mode Global Config
Default
disabled
Format
ip arp inspection validate {src-mac [dst-mac] [ip] | dst-mac [ip] | ip}
Mode Global Config