DAI validated the ARP packets in a network. DAI only perform the inspection or checking only on untrusted ports and will not perform inspection on trusted ports. when switch receives a ARP packet on a trusted interface, then it forwards the packet without any inspection or checks.
DAI only allow the ARP only if source is in DHCP snooping table or static binding.
In other words, ARP is only allowed from untrusted port when there is valid entry of source in DHCP snooping table or static binding.
It prevents Man in middle attacks.
Configuration:-
ip arp inspection vlan 1
int fa0/1
ip arp inspection untrust
Verification:-
show ip dhcp snooping binding
show ip arp inspection interfaces
Below error is displayed when a arp packet is recived on untrusted port and source is not present in DHCP snooping table.
%SW_DAI-4-DHCP_SNOOPING_DENY
DAI only allow the ARP only if source is in DHCP snooping table or static binding.
In other words, ARP is only allowed from untrusted port when there is valid entry of source in DHCP snooping table or static binding.
It prevents Man in middle attacks.
Configuration:-
ip arp inspection vlan 1
int fa0/1
ip arp inspection untrust
Verification:-
show ip dhcp snooping binding
show ip arp inspection interfaces
Below error is displayed when a arp packet is recived on untrusted port and source is not present in DHCP snooping table.
%SW_DAI-4-DHCP_SNOOPING_DENY
No comments:
Post a Comment