Table of Contents
Advertisement
This command specifies additional validation of address components in an
ip arp inspection
ARP packet. Use the no form to restore the default setting.
validate
S
YNTAX
D
EFAULT
No additional validation is performed
C
OMMAND
Global Configuration
C
OMMAND
By default, ARP Inspection only checks the IP-to-MAC address bindings
specified in an ARP ACL or in the DHCP Snooping database.
E
XAMPLE
Console(config)#ip arp inspection validate dst-mac
Console(config)#
This command enables ARP Inspection for a specified VLAN or range of
ip arp inspection
VLANs. Use the no form to disable this function.
vlan
S
YNTAX
ip arp inspection validate {dst-mac [ip] [src-mac] |
ip [src-mac] | src-mac}
no ip arp inspection validate
dst-mac - Checks the destination MAC address in the Ethernet
header against the target MAC address in the ARP body. This check
is performed for ARP responses. When enabled, packets with
different MAC addresses are classified as invalid and are dropped.
ip - Checks the ARP body for invalid and unexpected IP addresses.
Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast
addresses. Sender IP addresses are checked in all ARP requests and
responses, while target IP addresses are checked only in ARP
responses.
src-mac - Checks the source MAC address in the Ethernet header
against the sender MAC address in the ARP body. This check is
performed on both ARP requests and responses. When enabled,
packets with different MAC addresses are classified as invalid and
are dropped.
S
ETTING
M
ODE
U
SAGE
[no] ip arp inspection vlan {vlan-id | vlan-range}
vlan-id - VLAN ID. (Range: 1-4093)
vlan-range - A consecutive range of VLANs indicated by the use a
hyphen, or a random group of VLANs with each entry separated by
a comma.
– 703 –
| General Security Measures
C
24
HAPTER
ARP Inspection
- Quick Links:
- Connecting to the Switch
Hide quick links:
Advertisement
Table of Contents
