Reference Guide
Dynamic Host Configuration Protocol (DHCP) | 339
Use show arp inspection statistics command to see how many valid and invalid ARP packets have been
processed.
Figure 14-9. Command example: show arp inspection database
Bypassing the ARP Inspection
You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in
multi-switch environments. ARPs received on trusted ports bypass validation against the binding table. All
ports are untrusted by default.
Source Address Validation
Using the DHCP binding table, Dell Networking OS can perform three types of source address validation
(SAV):
• Validating IP Source Address prevents IP spoofing by forwarding only IP packets that have been
validated against the DHCP binding table.
• Validating DHCP MAC Source Address verifies a DHCP packet’s source hardware address matches
the client hardware address field (CHADDR) in the payload.
• Validating IP+MAC Source Address verifies that the IP source address and MAC source address are a
legitimate pair.
Validating IP Source Address
IP Source Address Validation (SAV) prevents IP spoofing by forwarding only IP packets that have been
validated against the DHCP binding table. A spoofed IP packet is one in which the IP source address is
strategically chosen to disguise the attacker. For example, using ARP spoofing an attacker can assume a
legitimate client’s identity and receive traffic addressed to it. Then the attacker can spoof the client’s IP
address to interact with other clients.
Task Command Syntax Command Mode
Specify an interface as trusted so that ARPs are not validated against the
binding table.
arp inspection-trust
INTERFACE
Dell#show arp inspection statistics
Dynamic ARP Inspection (DAI) Statistics
---------------------------------------
Valid ARP Requests : 0
Valid ARP Replies : 1000
Invalid ARP Requests : 1000
Invalid ARP Replies : 0
Dell#