Service Manual
Bypassing the ARP Inspection
You can congure a port to skip ARP inspection by dening the interface as trusted, which is useful in multi-switch environments.
ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by default.
To bypass the ARP inspection, use the following command.
• Specify an interface as trusted so that ARPs are not validated against the binding table.
INTERFACE mode
arp inspection-trust
Dell Networking OS Behavior: Introduced in Dell Networking OS version 8.2.1.0, DAI was available for Layer 3 only. However, Dell
Networking OS version 8.2.1.1 extends DAI to Layer 2.
Source Address Validation
Using the DHCP binding table, Dell Networking OS can perform three types of source address validation (SAV).
Table 15. Three Types of Source Address Validation
Source Address Validation Description
IP Source Address Validation Prevents IP spoong by forwarding only IP packets that have
been validated against the DHCP binding table.
DHCP MAC Source Address Validation Veries a DHCP packet’s source hardware address matches the
client hardware address eld (CHADDR) in the payload.
IP+MAC Source Address Validation Veries that the IP source address and MAC source address are
a legitimate pair.
Enabling IP Source Address Validation
IP source address validation (SAV) prevents IP spoong by forwarding only IP packets that have been validated against the DHCP
binding table.
A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker. For example, using ARP
spoong, an attacker can assume a legitimate client’s identity and receive trac addressed to it. Then the attacker can spoof the
client’s IP address to interact with other clients.
The DHCP binding table associates addresses the DHCP servers assign with the port or the port channel interface on which the
requesting client is attached and the VLAN the client belongs to. When you enable IP source address validation on a port, the system
veries that the source IP address is one that is associated with the incoming port and optionally that the client belongs to the
permissible VLAN. If an attacker is impostering as a legitimate client, the source address appears on the wrong ingress port and the
system drops the packet. If the IP address is fake, the address is not on the list of permissible addresses for the port and the packet
is dropped. Similarly, if the IP address does not belong to the permissible VLAN, the packet is dropped.
To enable IP source address validation, use the following command.
NOTE: If you enable IP source guard using the ip dhcp source-address-validation command and if there are
more entries in the current DHCP snooping binding table than the available CAM space, SAV may not be applied to all
entries. To ensure that SAV is applied correctly to all entries, enable the ip dhcp source-address-validation
command before adding entries to the binding table.
• Enable IP source address validation.
INTERFACE mode
INTERFACE PORT EXTENDER
ip dhcp source-address-validation
Dynamic Host Conguration Protocol (DHCP)
253