Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and
malicious ARP packets. The feature prevents a class of man-in-the-middle
attacks, where an unfriendly station intercepts traffic for other stations by
poisoning the ARP caches of its neighbors. The miscreant sends ARP requests
or responses mapping another station IP address to its own MAC address.
DAI drops ARP packets whose sender MAC address and sender IP address do
not match an entry in the DHCP Snooping bindings database.
Commands in this Chapter
This chapter explains the following commands:
clear ip arp inspection statistics
ip arp inspection filter
ip arp inspection limit
ip arp inspection trust
ip arp inspection validate
Use the arp access-list command to create an ARP ACL. It will place the user
in ARP ACL Configuration mode. Use the "no" form of this command to
delete an ARP ACL.
no arp access-list
acl-name — A valid ARP ACL name (Range: 1–31 characters).
ip arp inspection vlan
permit ip host mac host
show arp access-list
show ip arp inspection
show ip arp inspection vlan
Dynamic ARP Inspection Commands