Enabling Additional Validation - Cisco WS-SUP32-GE-3B - Supervisor Engine 32 Software Configuration Manual

Chapter 35 Configuring Dynamic ARP Inspection
Router(config)# errdisable recovery cause arp-inspection
Router(config)# do show errdisable recovery | include Reason|---|arp-
ErrDisable Reason
-----------------
arp-inspection

Enabling Additional Validation

DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can
enable additional validation on the destination MAC address, the sender and target IP addresses, and the
source MAC address.
To enable additional validation, perform this task:
Command
Step 1
Router# configure terminal
Step 2
Router(config)# ip arp inspection validate
{[dst-mac] [ip] [src-mac]}
Router(config)# no ip arp inspection validate
{[dst-mac] [ip] [src-mac]}
Step 3
Router(config)# do show ip arp inspection |
include abled$
The additional validations do the following:
•
•
•
When enabling additional validation, note the following information:
•
•
This example shows how to enable src-mac additional validation:
Router# configure terminal
Enter configuration commands, one per line.
Router(config)# ip arp inspection validate src-mac
Router(config)# do show ip arp inspection | include abled$
Source Mac Validation
Destination Mac Validation : Disabled
IP Address Validation
OL-11439-03
Timer Status
--------------
Enabled
dst-mac—Checks the destination MAC address in the Ethernet header against the target MAC
address in ARP body. This check is performed for ARP responses. When enabled, packets with
different MAC addresses are classified as invalid and are dropped.
ip—Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0,
255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP
requests and responses, and target IP addresses are checked only in ARP responses.
src-mac—Checks the source MAC address in the Ethernet header against the sender MAC address
in the ARP body. This check is performed on both ARP requests and responses. When enabled,
packets with different MAC addresses are classified as invalid and are dropped.
You must specify at least one of the keywords.
Each ip arp inspection validate command overrides the configuration from any previous
commands. If an ip arp inspection validate command enables src-mac and dst-mac validations,
and a second ip arp inspection validate command enables IP validation only, the src-mac and
dst-mac validations are disabled as a result of the second command.
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
Purpose
Enters global configuration mode.
(Optional) Enables additional validation (default is
none).
Disables additional validation.
Verifies the configuration.
End with CNTL/Z.
: Enabled
: Disabled
Configuring DAI
35-11