| Security Measures
C
13
HAPTER
ARP Inspection
C
G
ONFIGURING
LOBAL
S
ARP
ETTINGS FOR
I
NSPECTION
When ARP Inspection is disabled, all ARP request and reply packets
■
will bypass the ARP Inspection engine and their switching behavior
will match that of all other packets.
Disabling and then re-enabling global ARP Inspection will not affect
■
the ARP Inspection configuration of any VLANs.
When ARP Inspection is disabled globally, it is still possible to
■
configure ARP Inspection for individual VLANs. These configuration
changes will only become active after ARP Inspection is enabled
globally again.
The ARP Inspection engine in the current firmware version does not
◆
support ARP Inspection on trunk ports.
Use the Security > ARP Inspection (Configure General) page to enable ARP
inspection globally for the switch, to validate address information in each
packet, and configure logging.
CLI R
EFERENCES
"ARP Inspection" on page 738
◆
C
U
OMMAND
SAGE
ARP Inspection Validation
By default, ARP Inspection Validation is disabled.
◆
Specifying at least one of the following validations enables ARP
◆
Inspection Validation globally. Any combination of the following checks
can be active concurrently.
Destination MAC – Checks the destination MAC address in the
■
Ethernet header against the target MAC address in the ARP body.
This check is performed for ARP responses. When enabled, packets
with different MAC addresses are classified as invalid and are
dropped.
IP – Checks the ARP body for invalid and unexpected IP addresses.
■
These addresses include 0.0.0.0, 255.255.255.255, and all IP
multicast addresses. Sender IP addresses are checked in all ARP
requests and responses, while target IP addresses are checked only
in ARP responses.
Source MAC – Checks the source MAC address in the Ethernet
■
header against the sender MAC address in the ARP body. This check
is performed on both ARP requests and responses. When enabled,
packets with different MAC addresses are classified as invalid and
are dropped.
– 302 –