the switch drops the DCHP packets that request invalid IP addresses, preventing thesnooping of these packets. The invalid IP addresses are:• 0.0.0.0• 128.0.x.x• 191.255.x.x• 192.0.0.x• 223.255.255.x• 224.x.x.x• 240.x.x.x to 255.255.255.255RelatedDocumentationPort Security for J-EX Series Switches Overview on page 2545•• Understanding Trusted DHCP Servers for Port Security on J-EX Series Switches onpage 2559• Understanding DHCP Option 82 for Port Security on J-EX Series Switches on page 2560• DHCP Services for J-EX Series Switches Overview on page 445• DHCP/BOOTP Relay for J-EX Series Switches Overview on page 446• Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MACMove Limiting, on a J-EX Series Switch on page 2569• Enabling DHCP Snooping (CLI Procedure) on page 2630 and Enabling DHCP Snooping(J-Web Procedure) on page 2631• Troubleshooting Port Security on page 2665Understanding DAI for Port Security on J-EX Series SwitchesDynamic ARP inspection (DAI) protects J-EX Series Switches against ARP spoofing.DAI inspects ARP packets on the LAN and uses the information in the DHCP snoopingdatabase on the switch to validate ARP packets and to protect against ARP cachepoisoning. ARP requests and replies are compared against entries in the DHCP snoopingdatabase, and filtering decisions are made based on the results of those comparisons.When an attacker tries to use a forged ARP packet to spoof an address, the switchcompares the address to entries in the database. If the MAC address or IP address in anARP packet does not match a valid entry in the DHCP snooping database, the packet isdropped.ARP packets are trapped to the Routing Engine and are rate-limited to protect the switchfrom CPU overload.• Address Resolution Protocol on page 2556• ARP Spoofing on page 2556• DAI on J-EX Series Switches on page 25562555Chapter 93: Port Security Overview