Dynamic Arp Inspection - Cisco WS-C6506 Software Manual

Catalyst 6500 series switch

Hide thumbs Also See for WS-C6506:

Manual (110 pages)

Installation manual (336 pages)

Table of Contents

Configuring Access Control

Configuring Logging for ARP Traffic Inspection

To configure the logging option to log the ARP traffic-inspection packets that are dropped, perform this

task in privileged mode:

Log the ARP traffic-inspection packets that are

For detailed information on the VACL logging option, see the

security acl log maxflow max_number command.

To display the logged ARP traffic-inspection packets, perform this task in normal mode:

Display the logged ARP traffic-inspection packets.

If you specify the optional host IP address, only the ARP packets that advertise a binding for the

specified host IP address are displayed. If you specify the optional vlan vlan keyword and argument, the

search is restricted to the specified VLAN.

Dynamic ARP Inspection

Dynamic ARP inspection (DAI) is available only with Supervisor Engine 2 with PFC2, Supervisor

Engine 720 with PFC3A/PFC3B/PFC3BXL, and Supervisor Engine 32 with PFC3B/PFC3BXL.

These sections describe DAI:

DAI uses the binding information that is built by DHCP snooping to enforce the advertisement of

bindings to prevent "man-in-the-middle" attacks. These attacks can occur when an attacker intercepts

and selectively modifies communicated data to masquerade as one or more of the entries in a

communication association. DAI adds an extra layer of security to ARP inspection by verifying that the

ARP packet's MAC address and IP address match an existing DHCP snooping binding in the same

VLAN. The basic functionality and packet flow of ARP inspection remains unchanged except for the

addition of checks to ensure that a DHCP binding exists (see

15-59. This section also provides information on limiting the number of logged flows using the set

Overview, page 15-39

Dynamic ARP Inspection Configuration Procedures, page 15-41

set security acl ip acl_name deny

arp-inspection {host ip_address {any |

mac_address} | ip_address ip_mask any | any

show security acl log flow arp [host

ip_address [vlan vlan]]

Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7

Using VACLs in Your Network

"Configuring VACL Logging" section on

for a logical flow chart).

Show Quick Links

Table of Contents

Troubleshooting

Catalyst 6506 Catalyst 6509 Catalyst 6513

Dynamic Arp Inspection - Cisco WS-C6506 Software Manual

Dynamic ARP Inspection

Hide quick links:

Troubleshooting

Related Manuals for Cisco WS-C6506

Related Content for Cisco WS-C6506

This manual is also suitable for:

Table of Contents