Dynamic Arp Inspection - NETGEAR XS708T User Manual
8-port, 12-port, and 16-port
10-gigabit smart managed pro switch
Hide thumbs
Also See for XS708T:
- Hardware installation manual (32 pages) ,
- Installation manual (2 pages) ,
- Installation (2 pages)
Table of Contents
Advertisement
XS708T, XS712Tv2, and XS716T Smart Managed Pro Switch User Manual
The following table describes the DHCP snooping statistics.
Table 27. DHCP Snooping Statistics information
Field
Description
Interface
The interface associated with the rest of the data in the row.
MAC Verify Failures
The number of DHCP messages that were dropped because the source MAC address
and client hardware address did not match. MAC address verification is performed only if
it is globally enabled.
Client Ifc Mismatch
The number of packets that were dropped by DHCP snooping because the interface and
VLAN on which the packet was received do not match the client's interface and VLAN
information stored in the binding database.
DHCP Server Msgs
The number of DHCP server messages ((DHCPOFFER, DHCPACK, DHCPNAK,
Received
DHCPRELEASEQUERY) that were dropped on an untrusted port.
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP
packets. DAI prevents a class of man-in-the-middle attacks where an unfriendly station
intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting
neighbors. The malicious attacker sends ARP requests or responses mapping another
station's IP address to its own MAC address.
When DAI is enabled, the switch drops ARP packets whose sender MAC address and
sender IP address do not match an entry in the DHCP snooping bindings database. You can
optionally configure additional ARP packet validation.
When DAI is enabled on a VLAN, DAI is enabled on the interfaces (physical ports or LAGs)
that are members of that VLAN. Individual interfaces are configured as trusted or untrusted.
The trust configuration for DAI is independent of the trust configuration for DHCP snooping.
Configure DAI Globally
If you configure the source MAC address validation option, DAI verifies that the sender MAC
address in an ARP packet equals the source MAC address in the Ethernet header.
The Ethernet header includes a configurable option to verify that the target MAC address in
the ARP packet equals the destination MAC address. This check applies only to ARP
responses, since the target MAC address is unspecified in ARP requests. You can also
enable IP address checking. When this option is enabled, DAI drops ARP packets with an
invalid IP address. The following IP addresses are considered invalid:
•
0.0.0.0
•
255.255.255.255
•
All IP multicast addresses
•
All class E addresses (240.0.0.0/4)
•
Loopback addresses (in the range 127.0.0.0/8)
Configure System Information
107
Hide quick links:
Advertisement
Table of Contents
