Cisco WS-C6506 Software Manual page 432

Using VACLs in Your Network
To drop the packets with invalid MAC or IP addresses, perform this task in privileged mode (if you do
not specify the drop keyword, the packet is not dropped but a syslog message is displayed):
Task
Step 1 Drop the packets with the invalid MAC or IP
addresses.
Step 2 Commit the VACL.
Step 3 Display the configuration.
This example shows how to drop the packets with the invalid MAC or IP addresses:
Console> (enable) set security acl arp-inspection address-validation enable drop
ARP Inspection address-validation feature enabled with drop option.
Console> (enable)
Console> (enable) show security acl arp-inspection config
Address-validation feature is enabled with drop option.
Console> (enable)
Displaying ARP Traffic-Inspection Statistics
To display the number of packets that are permitted and denied by the ARP traffic-inspection task, perform
this task in normal mode:
Task
Display the number of packets that are permitted and
denied by the ARP traffic-inspection task.
You can enter the show security acl commands to display certain ARP traffic-inspection configuration
Note
information.
This example shows how to display the number of packets that are permitted and denied by the ARP
traffic-inspection task:
Console> (enable) show security acl arp-inspection statistics
ARP Inspection statistics
Packets forwarded = 0
Packets dropped = 0
RARP packets (forwarded) = 0
Packets for which Match-mac failed = 0
Packets for which Address Validation failed = 0
IP packets dropped = 0
Console> (enable)
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
15-36
Chapter 15
Command
set security acl arp-inspection address-validation
{enable [drop [log]] | disable}
commit security acl {acl_name | all | adjacency}
show security acl arp-inspection config
Command
show security acl arp-inspection statistics
[acl_name]
Configuring Access Control
OL-8978-04