Cisco WS-C6506 Software Manual page 431

Catalyst 6500 series switch

Hide thumbs Also See for WS-C6506:

Manual (110 pages)

Installation manual (336 pages)

Table of Contents

Configuring Access Control

ACL 'ACL4' successfully committed.

Dropping Packets Without Matching MAC Addresses

To drop the packets where the source Ethernet MAC address (in the Ethernet header) is not the same as

the source MAC address in the ARP header, perform this task in privileged mode. If you do not specify

the drop keyword, the packet is not dropped but a syslog message is displayed. Use the log keyword to

send the packets to the VACL logging facility.

In most cases, using the match-mac clause to prevent ARP spoofing does not negate the need to create

a specific ARP-inspection ACL for each VLAN. The match-mac clause does not catch the more

sophisticated ARP table attacks. Most ARP spoofers change the source MAC address in the Ethernet

header to match the address in the ARP payload.

Identify or drop the packets without the matching

MAC addresses.

Commit the VACL.

Display the configuration.

This example shows how to drop the packets where the source Ethernet MAC address is not the same as

the source MAC address in the ARP header:

Console> (enable) set security acl arp-inspection match-mac enable drop

ARP Inspection match-mac feature enabled with drop option.

Console> (enable)

Console> (enable) show security acl arp-inspection config

Match-mac feature is enabled with drop option.

Address-validation feature is disabled.

Dynamic ARP Inspection is disabled on vlan(s) 1.

Dynamic ARP Inspection is disabled on ports 5/1-48,7/1-2.

Logging for Dynamic ARP Inspection rules is disabled.

Console> (enable)

Dropping Packets with Invalid MAC or IP Addresses

The following MAC addresses are invalid:

The following IP addresses are invalid:

00-00-00-00-00-00

Multicast MAC addresses (the 48th bit is set)

ff-ff-ff-ff-ff-ff (this is a special-case multicast MAC address)

255.255.255.255

Class D (multicast) IP addresses

set security acl arp-inspection match-mac

{enable [drop [log]] | disable}

commit security acl {acl_name | all |

show security acl arp-inspection config

Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7

Using VACLs in Your Network

Show Quick Links

Table of Contents

Troubleshooting

Catalyst 6506 Catalyst 6509 Catalyst 6513

Cisco WS-C6506 Software Manual page 431

Hide quick links:

Troubleshooting

Related Manuals for Cisco WS-C6506

Related Products for Cisco WS-C6506

This manual is also suitable for:

Table of Contents