- 353 -
Syntax
ip verify binding <mac-address> vlan <v lan id> <ip address> interface <slot/port>
no ip verify binding <mac-address> vlan <vlan id> <ip address> interface <slot/port>
no - This command removes the IPSG static entry from the IPSG database.
Default Setting
None
Command Mode
Global Config

7.20 Dynamic ARP Inspection (DAI) Command

Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP pa ckets. DAI
prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other
stations by poisoning the ARP caches of its unsusp ecting neighbors. The miscre ant sends ARP requests
or responses mapping another station's IP address to its own MAC address.
To prevent ARP poisoning attacks, a switch must ensure that only valid ARP request s and responses are
relayed. DAI prevents these attacks by intercepting all ARP requests and responses. Each of these
intercepted packets is verified for valid MAC address to IP address bindings before the local ARP cache is
updated or the packet is forwarded to the appropriate destination. Invalid ARP packets are dropped.
DAI determines the validity of an ARP packet base d on valid MAC add ress to IP addre ss bindings stored
in a trusted database. This database is built at runtime by DHCP snooping, provided this feature is
enabled on VLANs and on the switch. DAI relies on DHCP snoopin g. DHCP snooping listens to DHCP
message exchanges and builds a binding database of valid {MAC address, IP address, VLAN, and
interface} tuples. In addition, in order to handle hosts that use statically config ured IP addresses, DAI can
also validate ARP packets against user-configured ARP ACLs.
When DAI is enabled, the switch drops ARP pa ckets whose sender MAC address and sender IP address
do not match an entry in the DHCP snooping bindings database. You can optio nally configure additional
ARP packet validation.

7.20.1 Show Commands

7.20.1.1 show ip arp inspection statistics

This command displays the statistics of the ARP packets processed by Dynamic ARP Inspection. Give
the vlan-list argument and the command displays the statistics on all DAI-enable d VLANs in that list. Give