298 | Chapter 15. Security Management
ProSafe M4100 and M7100 Managed Switches
DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and
builds a bindings database of valid tuples (MAC address, IP address, VLAN interface).
When DAI is enabled, the switch drops ARP packet if the sender MAC address and sender IP
address do not match an entry in the DHCP snooping bindings database. However, it can be
overcome through static mappings. Static mappings are useful when hosts configure static IP
addresses, DHCP snooping cannot be run, or other switches in the network do not run
dynamic ARP inspection. A static mapping associates an IP address to a MAC address on a
VLAN.
Static client
IP address: 192.168.10.1
HW address: 00:11:85:EE:54:E9
Interface
1/0/2
GSM73xxS
Interface
1/0/1
Interface
1/0/3
DHCP server
IP address: 192.168.10.1
DHCP client
IP address: 192.168.10.86 (obtained)
HW address: 00:16:76:A7:88:CC
Figure 32. Dynamic ARP inspection
CLI: Configure Dynamic ARP Inspection
1. Enable DHCP snooping globally.
(Netgear Switch) (Config)# ip dhcp snooping
2. Enable DHCP snooping in a VLAN.
(Netgear Switch) (Config)# ip dhcp snooping vlan 1