Interaction Between Arp Inspection And Dhcp Snooping; Arp Defaults - Cisco SF500-24 Administration Manual
Esw2 series advanced switches
Hide thumbs
Also See for SF500-24:
- Administration manual (477 pages) ,
- Quick start manual (72 pages) ,
- Quick start manual (25 pages)
Table of Contents
Advertisement
Security
Dynamic ARP Inspection
Cisco 500 Series Stackable Managed Switch Administration Guide Release 1.3
•
If a packet is valid, it is forwarded and the ARP cache is updated.
If the ARP Packet Validation option is selected (Properties page), the following
additional validation checks are performed:
•
Source MAC — Compares the packet's source MAC address in the
Ethernet header against the sender's MAC address in the ARP request. This
check is performed on both ARP requests and responses.
•
Destination MAC — Compares the packet's destination MAC address in
the Ethernet header against the destination interface's MAC address. This
check is performed for ARP responses.
•
IP Addresses — Compares the ARP body for invalid and unexpected IP
addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP Multicast
addresses.
Packets with invalid ARP Inspection bindings are logged and dropped.
Up to 1024 entries can be defined in the ARP Access Control table.
Interaction Between ARP Inspection and DHCP Snooping
If DHCP Snooping is enabled, ARP Inspection uses the DHCP Snooping Binding
database in addition to the ARP access control rules. If DHCP Snooping is not
enabled, only the ARP access control rules are used.
ARP Defaults
ARP Defaults Table
Option
Dynamic ARP Inspection
ARP Packet Validation
ARP Inspection Enabled on
VLAN
Log Buffer Interval
Default State
Not enabled.
Not enabled
Not enabled
SYSLOG message generation for
dropped packets is enabled at 5
seconds interval
20
420
Hide quick links:
Advertisement
Table of Contents
