Enabling Or Disabling Additional Validation - Cisco Nexus 9000 Series Configuration Manual
Nx-os security configuration guide, release 9.x
Hide thumbs
Also See for Nexus 9000 Series:
- Configuration manual (276 pages) ,
- Troubleshooting manual (126 pages) ,
- Quick start configuration manual (6 pages)
Table of Contents
Advertisement
Enabling or Disabling Additional Validation
Command or Action
Step 3
[no] ip arp inspection trust
Example:
switch(config-if)# ip arp inspection trust
Step 4
(Optional) show ip arp inspection interface type port/slot
Example:
switch(config-if)# show ip arp inspection interface
ethernet 2/1
Step 5
(Optional) copy running-config startup-config
Example:
switch(config-if)# copy running-config
startup-config
Enabling or Disabling Additional Validation
You can enable or disable additional validation of ARP packets. By default, no additional validation of ARP
packets is enabled. When no additional validation is configured, the source MAC address and the source IP
address check against the IP-to-MAC binding entry for ARP packets is performed by using the Ethernet source
MAC address (not the ARP sender MAC address) and the ARP sender IP address.
DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can enable
additional validation on the destination MAC address, the sender and target IP addresses, and the source MAC
address.
You can use the following keywords with the ip arp inspection validate command to implement additional
validations:
dst-mac
ip
src-mac
When enabling additional validation, follow these guidelines:
• You must specify at least one of the keywords. You can specify one, two, or all three keywords.
• Each ip arp inspection validate command that you enter replaces the configuration from any previous
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
396
Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP
body for ARP responses. When enabled, packets with different MAC addresses are classified as invalid
and are dropped.
Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0,
255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests
and responses, and target IP addresses are checked only in ARP responses.
Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP
body for ARP requests and responses. When enabled, packets with different MAC addresses are classified
as invalid and are dropped.
commands. If you enter an ip arp inspection validate command to enable src-mac and dst-mac validations,
Configuring Dynamic ARP Inspection
Purpose
Configures the interface as a trusted ARP interface. The no
option configures the interface as an untrusted ARP
interface.
Displays the trust state and the ARP packet rate for the
specified interface.
Copies the running configuration to the startup
configuration.
- Quick Links:
- Radius and Tacacs+ Security Protocols
Hide quick links:
Advertisement
Table of Contents
