Dynamic Arp Inspection - Cisco Catalyst 4500 Series Software Configuration Manual

Chapter 1 Product Overview

Dynamic ARP Inspection

Dynamic ARP Inspection (DAI) intercepts all ARP requests, replies on untrusted ports, and verifies each
intercepted packet for valid IP to MAC bindings. Dynamic ARP Inspection helps to prevent attacks on
a network by not relaying invalid ARP replies out to other ports in the same VLAN. Denied ARP packets
are logged by the switch for auditing.
For more information on dynamic ARP inspection, see
Inspection."
Dynamic Host Configuration Protocol Snooping
Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature that is a component of a
DHCP server. DHCP snooping provides security by intercepting untrusted DHCP messages and by
building and maintaining a DHCP snooping binding table. An untrusted message is a message that is
received from outside the network or firewall that can cause traffic attacks within your network.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also provides a way
to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected
to the DHCP server or another switch.
With SSO support, DHCP Snooping propagates the DHCP-snooped data from the active supervisor
engine to the redundant supervisor engine so that when a switchover occurs, the newly active supervisor
engine is aware of the DHCP data that was already snooped, and the security benefits continue
uninterrupted.
For DHCP server configuration information, refer to the chapter, "Configuring DHCP," in the Cisco IOS
IP and IP Routing Configuration Guide at the following URL:
http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcp_rdmp_ps6350_TSD_Produ
cts_Configuration_Guide_Chapter.html
For information on configuring DHCP snooping, see
Source Guard, and IPSG for Static Hosts."
Flood Blocking
Flood blocking enables users to disable the flooding of unicast and multicast packets on a per-port basis.
Occasionally, unknown unicast or multicast traffic from an unprotected port is flooded to a protected port
because a MAC address has timed out or has not been learned by the switch.
For information on flood blocking, see
Hardware-Based Control Plane Policing
Control Plane Policing provides a unified solution to limit the rate of CPU bound control plane traffic in
hardware. It enables users to install system wide control plane ACLs to protect the CPU by limiting rates
or filtering out malicious DoS attacks. Control plane policing ensures the network stability, availability
and packet forwarding, and prevents network outages such as loss of protocol updates despite an attack
or heavy load on the switch. Hardware-based control plane policing is available for all
Catalyst 4500 supervisor engines. It supports various Layer 2 and Layer 3 control protocols, such as
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 58, "Configuring Dynamic ARP
Chapter 60, "Configuring DHCP Snooping, IP
Chapter 64, "Port Unicast and Multicast Flood Blocking."
Security Features
1-37