Set Arpinspection Validate - Enterasys SECURESTACK C3 Configuration Manual

set arpinspection validate

Usage
Individual interfaces are configured as trusted or untrusted. The trust configuration for DAI is
independent of the trust configuration for DHCP snooping. A trusted port is a port the network
administrator does not consider to be a security threat. An untrusted port is one which could
potentially be used to launch a network attack.
DAI considers all physical ports and LAGs untrusted by default. Packets arriving on trusted
interfaces bypass all DAI validation checks.
Example
This example enables port ge.1.1 as trusted for DAI.
C3(su)->set arpinspection trust port ge.1.1 enable
set arpinspection validate
Use this command to configure additional optional ARP validation parameters.
Syntax
set arpinspection validate {[src-mac] [dst-mac] [ip]}
Parameters
src‐mac
dst‐mac
ip
Defaults
All parameters are optional, but at least one parameter must be specified.
Mode
Switch command, read‐write.
Usage
This command adds additional validation of ARP packets by DAI, beyond the basic validation
that the ARP packet's sender MAC address and sender IP address match an entry in the DHCP
snooping bindings database.
17-22 DHCP Snooping and Dynamic ARP Inspection
Specifies that DAI should verify that the sender MAC address equals
the source MAC address in the Ethernet header.
Specifies that DAI should verify that the target MAC address equals the
destination MAC address in the Ethernet header.
This check only applies to ARP responses, since the target MAC address
is unspecified in ARP requests.
Specifies that DAI should check the IP address and drop ARP packets
with an invalid address. An invalid address is one of the following:
• 0.0.0.0
• 255.255.255.255
• All IP multicast addresses
• All class E addresses (240.0.0.0/4)
• Loopback addresses (in the range 127.0.0.0/8)