Edge-Core ECS4110-28T Management Manual page 952

| General Security Measures
C 25
HAPTER
ARP Inspection
ip arp inspection
validate
E
XAMPLE
Console(config)#ip arp inspection log-buffer logs 1 interval 10
Console(config)#
This command specifies additional validation of address components in an
ARP packet. Use the no form to restore the default setting.
S
YNTAX
ip arp inspection validate
{dst-mac [ip [allow-zeros] [src-mac]] |
ip [allow-zeros] [src-mac]] | src-mac}
no ip arp inspection validate
dst-mac - Checks the destination MAC address in the Ethernet
header against the target MAC address in the ARP body. This check
is performed for ARP responses. When enabled, packets with
different MAC addresses are classified as invalid and are dropped.
ip - Checks the ARP body for invalid and unexpected IP addresses.
Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast
addresses. Sender IP addresses are checked in all ARP requests and
responses, while target IP addresses are checked only in ARP
responses.
allow-zeros - Allows sender IP address to be 0.0.0.0.
src-mac - Checks the source MAC address in the Ethernet header
against the sender MAC address in the ARP body. This check is
performed on both ARP requests and responses. When enabled,
packets with different MAC addresses are classified as invalid and
are dropped.
D S
EFAULT ETTING
No additional validation is performed
C M
OMMAND ODE
Global Configuration
C U
OMMAND SAGE
By default, ARP Inspection only checks the IP-to-MAC address bindings
specified in an ARP ACL or in the DHCP Snooping database.
E
XAMPLE
Console(config)#ip arp inspection validate dst-mac
Console(config)#
– 952 –