Cisco Catalyst 2960-X Security Configuration Manual page 282

Performing Dynamic ARP Inspection Validation Checks
SUMMARY STEPS
1. enable
2. configure terminal
3. ip arp inspection validate {[src-mac] [dst-mac] [ip]}
4. exit
5. show ip arp inspection vlan vlan-range
6. show running-config
7. copy running-config startup-config
DETAILED STEPS
Command or Action
Step 1
enable
Example:
Switch> enable
Step 2 configure terminal
Example:
Switch# configure terminal
Step 3 ip arp inspection validate
{[src-mac] [dst-mac] [ip]}
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
258
Purpose
Enables privileged EXEC mode. Enter your password if prompted.
Enters the global configuration mode.
Performs a specific check on incoming ARP packets. By default, no checks are
performed.
The keywords have these meanings:
• For src-mac, check the source MAC address in the Ethernet header against
the sender MAC address in the ARP body. This check is performed on
both ARP requests and responses. When enabled, packets with different
MAC addresses are classified as invalid and are dropped.
• For dst-mac, check the destination MAC address in the Ethernet header
against the target MAC address in ARP body. This check is performed for
ARP responses. When enabled, packets with different MAC addresses are
classified as invalid and are dropped.
• For ip, check the ARP body for invalid and unexpected IP addresses.
Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
Sender IP addresses are checked in all ARP requests and responses, and
target IP addresses are checked only in ARP responses.
You must specify at least one of the keywords. Each command overrides the
configuration of the previous command; that is, if a command enables src and
dst mac validations, and a second command enables IP validation only, the src
and dst mac validations are disabled as a result of the second command.
Configuring Dynamic ARP Inspection
OL-29048-01