CHAPTE R
21-1
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
21
Configuring Dynamic ARP Inspection
Note To use Dynamic ARP inspection, the switch must be running the LAN Base image.
Note This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynami c ARP
inspection) on the Catalyst 2960 and 2960-S switches. This feature helps prevent malicious attacks on
the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Stacking
is supported only on Catalyst 2960-S switches running the LA N base image.
For complete syntax and usage information for the commands used in this chapter, see the command
reference for this release.
This chapter consists of these sections:
Understanding Dynamic ARP Inspection, page 21-1
Configuring Dynamic ARP Inspection, page 21-5
Displaying Dynamic ARP Inspection Information, page 21-15

Understanding Dynamic ARP Inspection

ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address t o a MAC
address. For example, Host B wants to send information to Host A but does not have the MAC address
of Host A in its ARP cache. Host B generates a broadcast message for all hosts within the broadcast
domain to obtain the MAC address associated with the IP address of Host A. All hosts within the
broadcast domain receive the ARP request, and Host A responds with its MAC address. However,
because ARP allows a gratuitous reply from a host even if an ARP request was not received, an ARP
spoofing attack and the poisoning of ARP caches can occur. After the attack, all traffic from the device
under attack flows through the attacker’s computer and then to the router, switch, or host.
A malicious user can attack hosts, switches, and routers connected to you r Layer 2 network by poisoning
the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts
on the subnet. Figure 21-1 shows an example of ARP cache poisoning.