Dell MXL 10/40GbE Switch User Manual

Open as PDF

of 1094

---------------------------------------

Valid ARP Requests : 0

Valid ARP Replies : 1000

Invalid ARP Requests : 1000

Invalid ARP Replies : 0

Dell#

Bypassing the ARP Inspection

You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in

multi-switch environments.

ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by

default.

To bypass the ARP inspection, use the following command.

• Specify an interface as trusted so that ARPs are not validated against the binding table.

INTERFACE mode

arp inspection-trust

Dell Networking OS Behavior: Introduced in the Dell Networking OS version 8.2.1.0, DAI was available

for Layer 3 only. However, the Dell Networking OS version 8.2.1.1 extends DAI to Layer 2.

Source Address Validation

Using the DHCP binding table, the Dell Networking OS can perform three types of source address

validation (SAV).

Table 16. Three Types of Source Address Validation

Source Address Validation Description

IP Source Address Validation Prevents IP spoofing by forwarding only IP packets

that have been validated against the DHCP binding

table.

DHCP MAC Source Address Validation Verifies a DHCP packet’s source hardware address

matches the client hardware address field

(CHADDR) in the payload.

IP+MAC Source Address Validation Verifies that the IP source address and MAC source

address are a legitimate pair.

Enabling IP Source Address Validation

IP source address validation (SAV) prevents IP spoofing by forwarding only IP packets that have been

validated against the DHCP binding table.

A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker.

For example, using ARP spoofing, an attacker can assume a legitimate client’s identity and receive traffic

addressed to it. Then the attacker can spoof the client’s IP address to interact with other clients.

The DHCP binding table associates addresses the DHCP servers assign, with the port on which the

requesting client is attached. When you enable IP source address validation on a port, the system verifies

that the source IP address is one that is associated with the incoming port. If an attacker is impostering as

a legitimate client, the source address appears on the wrong ingress port and the system drops the

Dynamic Host Configuration Protocol (DHCP)

335

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Dell MXL 10/40GbE Switch User Manual