Performing Validation Checks - Cisco ME 3400G-2CS - Ethernet Access Switch Software Configuration Manual

Configuring Dynamic ARP Inspection

Performing Validation Checks

Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address
bindings. You can configure the switch to perform additional checks on the destination MAC address,
the sender and target IP addresses, and the source MAC address.
Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP
packets. This procedure is optional.
Command
Step 1 configure terminal
Step 2 ip arp inspection validate
{[src-mac] [dst-mac] [ip]}
Step 3 exit
Step 4 show ip arp inspection vlan
vlan-range
Step 5
copy running-config startup-config
To disable checking, use the no ip arp inspection validate [src-mac] [dst-mac] [ip] global
configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure
packets, use the show ip arp inspection statistics privileged EXEC command.
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
19-12
Purpose
Enter global configuration mode.
Perform a specific check on incoming ARP packets. By default, no checks
are performed.
The keywords have these meanings:
• For src-mac, check the source MAC address in the Ethernet header
against the sender MAC address in the ARP body. This check is
performed on both ARP requests and responses. When enabled, packets
with different MAC addresses are classified as invalid and are dropped.
For dst-mac, check the destination MAC address in the Ethernet header
•
against the target MAC address in ARP body. This check is performed
for ARP responses. When enabled, packets with different MAC
addresses are classified as invalid and are dropped.
• For ip, check the ARP body for invalid and unexpected IP addresses.
Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast
addresses. Sender IP addresses are checked in all ARP requests and
responses, and target IP addresses are checked only in ARP responses.
You must specify at least one of the keywords. Each command overrides the
configuration of the previous command; that is, if a command enables src
and dst mac validations, and a second command enables IP validation only,
the src and dst mac validations are disabled as a result of the second
command.
Return to privileged EXEC mode.
Verify your settings.
(Optional) Save your entries in the configuration file.
Chapter 19 Configuring Dynamic ARP Inspection
78-17058-01