User manual
Table Of Contents
- Introduction
- Product Overview
- Installation and Quick Startup
- Package Contents
- Switch Installation
- Installing the Switch in a Rack
- Quick Starting the Switch
- System Information Setup
- Quick Start up Software Version Information
- Quick Start up Physical Port Data
- Quick Start up User Account Management
- Quick Start up IP Address
- Quick Start up Uploading from Switch to Out-of-Band PC
- Quick Start up Downloading from Out-of-Band PC to Switch
- Quick Start up Downloading from TFTP Server
- Quick Start up Factory Defaults
- Console and Telnet Administration Interface
- Web-Based Management Interface
- Command Line Interface Structure and Mode-based CLI
- Switching Commands
- System Information and Statistics commands
- Device Configuration Commands
- Interface
- L2 MAC Address and Multicast Forwarding Database Tables
- VLAN Management
- Double VLAN commands
- GVRP and Bridge Extension
- IGMP Snooping
- IGMP Snooping Querier
- MLD Snooping
- MLD Snooping Querier
- Port Channel
- Storm Control
- L2 Priority
- Port Mirror
- Link State
- Port Backup
- FIP Snooping
- Enhanced Transmission Selection (ETS)
- Congestion Notification
- Management Commands
- Spanning Tree Commands
- System Log Management Commands
- Script Management Commands
- User Account Management Commands
- Security Commands
- CDP (Cisco Discovery Protocol) Commands
- SNTP (Simple Network Time Protocol) Commands
- MAC-Based Voice VLAN Commands
- LLDP (Link Layer Discovery Protocol) Commands
- Denial Of Service Commands
- VTP (VLAN Trunking Protocol) Commands
- Protected Ports Commands
- Static MAC Filtering Commands
- System Utilities
- DHCP Snooping Commands
- IP Source Guard (IPSG) Commands
- Dynamic ARP Inspection (DAI) Command
- Differentiated Service Command
- ACL Command
- IPv6 ACL Command
- CoS (Class of Service) Command
- Domain Name Server Relay Commands
- Routing Commands
- IP Multicast Commands
- IPv6 Commands
- Web-Based Management Interface
- Overview
- System Menu
- View ARP Cache
- Viewing Inventory Information
- Configuring Management Session and Network Parameters
- Defining Forwarding Database
- Viewing Logs
- Managing Switch Interface
- Defining sFlow
- Defining SNMP
- Viewing Statistics
- Managing System Utilities
- Managing CDP Function
- Defining Trap Manager
- Configuring SNTP
- Defining DHCP Client
- Defining DNS Relay Function
- Switching Menu
- Managing DHCP Snooping
- Managing IP Source Guard (IPSG)
- Managing Dynamic ARP Inspection (DAI)
- Managing Filters
- Managing Port-based VLAN
- Managing Protected Ports
- Managing Protocol-based VLAN
- Managing IP Subnet-based VLAN
- Managing MAC-based VLAN
- Managing MAC-based Voice VLAN
- Managing Voice VLAN
- Defining GARP
- Managing IGMP Snooping
- Managing IGMP Snooping Querier
- Managing MLD Snooping
- Managing MLD Snooping Querier
- Managing Port-Channel
- Viewing Multicast Forwarding Database
- Managing Spanning Tree
- Defining 802.1p priority
- Managing Port Security
- Managing LLDP
- Managing LLDP-MED
- Managing VTP
- Managing Link State
- Managing Port-Backup
- Managing FIP-Snooping
- Routing Menu
- Security Menu
- IPv6 Menu
- Configuring IPv6 Global Configuration Page
- Configuring IPv6 Interface Configuration Page
- Viewing IPv6 Interface Summary Page
- Viewing IPv6 Interface Statistics Page
- Viewing IPv6 Neighbor Table Information Page
- Viewing IPv6 Static Neighbor Table Information Page
- Managing OSPFv3 Protocol
- Managing IPv6 Routes
- Managing RIPv6
- QOS Menu
- IPv4 Multicast Menu
- IPv6 Multicast Menu
- 353 -
Syntax
ip verify binding <mac-address> vlan <vlan id> <ip address> interface <slot/port>
no ip verify binding <mac-address> vlan <vlan id> <ip address> interface <slot/port>
no - This command removes the IPSG static entry from the IPSG database.
Default Setting
None
Command Mode
Global Config
7.20 Dynamic ARP Inspection (DAI) Command
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI
prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other
stations by poisoning the ARP caches of its unsuspecting neighbors. The miscreant sends ARP requests
or responses mapping another station's IP address to its own MAC address.
To prevent ARP poisoning attacks, a switch must ensure that only valid ARP requests and responses are
relayed. DAI prevents these attacks by intercepting all ARP requests and responses. Each of these
intercepted packets is verified for valid MAC address to IP address bindings before the local ARP cache is
updated or the packet is forwarded to the appropriate destination. Invalid ARP packets are dropped.
DAI determines the validity of an ARP packet based on valid MAC address to IP address bindings stored
in a trusted database. This database is built at runtime by DHCP snooping, provided this feature is
enabled on VLANs and on the switch. DAI relies on DHCP snooping. DHCP snooping listens to DHCP
message exchanges and builds a binding database of valid {MAC address, IP address, VLAN, and
interface} tuples. In addition, in order to handle hosts that use statically configured IP addresses, DAI can
also validate ARP packets against user-configured ARP ACLs.
When DAI is enabled, the switch drops ARP packets whose sender MAC address and sender IP address
do not match an entry in the DHCP snooping bindings database. You can optionally configure additional
ARP packet validation.
7.20.1 Show Commands
7.20.1.1 show ip arp inspection statistics
This command displays the statistics of the ARP packets processed by Dynamic ARP Inspection. Give
the vlan-list argument and the command displays the statistics on all DAI-enabled VLANs in that list. Give