Filter
Top Products
440 Configuring Switching Information
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI
prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other
stations by poisoning the ARP caches of its unsuspecting neighbors. The miscreant sends ARP requests
or responses mapping another station’s IP address to its own MAC address.
DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and builds a
binding database of valid {MAC address, IP address, VLAN, and interface} tuples.
When DAI is enabled, the switch drops ARP packets whose sender MAC address and sender IP address
do not match an entry in the DHCP snooping bindings database. You can optionally configure additional
ARP packet validation.
The Dynamic ARP Inspection menu page contains links to the following features:
• DAI Global Configuration
• DAI Interface Configuration
• DAI VLAN Configuration
• DAI ACL Configuration
• DAI ACL Rule Configuration
•DAI Statistics
DAI Global Configuration
Use the DAI Configuration page to configure global DAI settings.
To display the DAI Configuration page, click Switching
→
Dynamic ARP Inspection
→
Global
Configuration in the navigation tree.
Table 7-57. Link Dependency Commands
CLI Command Description
link-dependency group Enters the link-dependency mode to configure a link-dependency
group.
add ethernet Adds member Ethernet port(s) to the dependency list.
add port-channel Adds member port-channels to the dependency list.
depends-on ethernet Adds the dependent Ethernet ports list.
depends-on port-channel Adds the dependent port-channels list.
show link-dependency Shows the link dependencies configured on a particular group.