About Dynamic Arp Inspection - Cisco Catalyst 4500 Series Configuration Manual

Configuring Dynamic ARP Inspection
This chapter describes how to configure Dynamic ARP Inspection (DAI) on the Catalyst 4500 series
switch.
This chapter includes the following major sections:
•
•
Note For complete syntax and usage information for the switch commands used in this chapter, first look at
the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location:
http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html
If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in
the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this
location:
http://www.cisco.com/en/US/products/ps6350/index.html

About Dynamic ARP Inspection

Dynamic ARP Inspection (DAI) is a security feature that validates Address Resolution Protocol (ARP)
packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with
invalid MAC-IP pairs. This capability protects the network from certain "man-in-the-middle" attacks.
This section contains the following subsections:
•
•
•
•
•
•
•
OL-25340-01
About Dynamic ARP Inspection, page 49-1
Configuring Dynamic ARP Inspection, page 49-5
ARP Cache Poisoning, page 49-2
Purpose of Dynamic ARP Inspection, page 49-2
Interface Trust State, Security Coverage and Network Configuration, page 49-3
Relative Priority of Static Bindings and DHCP Snooping Entries, page 49-4
Logging of Dropped Packets, page 49-4
Rate Limiting of ARP Packets, page 49-4
Port Channels Function, page 49-5
C H A P T E R
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
49
49-1