Cisco Catalyst 4500 series Administration Manual page 1374
Hide thumbs
Also See for Catalyst 4500 series:
- Software configuration manual (2086 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Configuring Dynamic ARP Inspection
To perform specific checks on incoming ARP packets, perform this task:
Command
Step 1
Switch# configure terminal
Step 2
Switch(config)# ip arp inspection
{[
validate
src-mac
Step 3
Switch(config)# exit
Step 4
Switch# show ip arp inspection
vlan vlan-range
Step 5
Switch# copy running-config
startup-config
To disable checking, use the no ip arp inspection validate [src-mac] [dst-mac] [ip] global
configuration command. To display statistics for forwarded, dropped, MAC validation failure, and IP
validation failure packets, use the show ip arp inspection statistics privileged EXEC command.
This example shows how to configure source mac validation. Packets are dropped and an error message
may be generated when the source address in the Ethernet header does not match the sender hardware
address in the ARP body.
SwitchB# configure terminal
Enter configuration commands, one per line.
SwitchB(config)# ip arp inspection validate src-mac
SwitchB(config)# exit
SwitchB# show ip arp inspection vlan 100
Source Mac Validation
Destination Mac Validation : Disabled
IP Address Validation
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
52-20
Purpose
Enters global configuration mode.
Performs a specific check on incoming ARP packets. By default, no
] [
] [
]}
dst-mac
ip
additional checks are performed.
The keywords have these meanings:
For src-mac, check the source MAC address in the Ethernet header
•
against the sender MAC address in the ARP body. This check is
performed on both ARP requests and responses. When enabled, packets
with different MAC addresses are classified as invalid and are dropped.
For dst-mac, check the destination MAC address in the Ethernet header
•
against the target MAC address in ARP body. This check is performed
for ARP responses. When enabled, packets with different MAC
addresses are classified as invalid and are dropped.
•
For ip, check the ARP body for invalid and unexpected IP addresses.
Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast
addresses. Sender IP addresses are checked in all ARP requests and
responses, and target IP addresses are checked only in ARP responses.
You must specify at least one of the keywords. Each command overrides the
configuration of the previous command; that is, if a command enables src
and dst mac validations, and a second command enables IP validation only,
the src and dst mac validations are disabled as a result of the second
command.
Returns to privileged EXEC mode.
Verifies your settings.
(Optional) Saves your entries in the configuration file.
: Enabled
: Disabled
Chapter 52
Configuring Dynamic ARP Inspection
End with CNTL/Z.
OL_28731-01
Advertisement
Chapters
Table of Contents
Troubleshooting
