Cisco Systems 3130 Configuring the Log Buffer

22-13

Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide

OL-13270-01

Chapter22 Configuring Dynamic A RP In spection Configuring Dynamic ARP Inspection

Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP

packets. This procedure is optional.

To disable checking, use the no ip arp inspection validate [src-mac] [dst-mac] [ip] global

configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure

packets, use the show ip arp inspection statistics privileged EXEC command.

Configuring the Log Buffer

When the switch drops a packet, it places an entry in the log buffer and then generates system messages

on a rate-controlled basis. After the message is generated, the switch clears the entry from the log b uf fer.

Each log entry contains flow information, such as the receiving VLAN, the port num ber, the source and

destination IP addresses, and the source and destination MAC addresses.

A log-buffer entry can represent more than one packet. For example, if an interface receives many

packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry

in the log buffer and generates a single system message for the entry.

Command Purpose

Step1 configure terminal Enter global configuration mode.

Step2 ip arp inspection validate

{[src-mac] [dst-mac] [ip]} Perform a specific check on incoming ARP packets. By default, no checks

are performed.

The keywords have these meanings:

•For src-mac, check the source MAC address in the Ethernet header

against the sender MAC address in the ARP body. This check is

performed on both ARP requests and responses. When enab led, pa ckets

with different MAC addresses are classified as invalid and are dropped.

•For dst-mac, check the destination MAC address in the Ethernet header

against the target MAC address in ARP body. This check is performed

for ARP responses. When enabled, packets with different MAC

addresses are classified as invalid and are dropped.

•For ip, check the ARP body for invalid and unexpected IP addresses.

Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast

addresses. Sender IP addresses are checked in al l A RP re qu est s an d

responses, and target IP addresses are checked only in ARP responses.

You must specify at least one of the keywords. Each comman d ov errides the

configuration of the previous command; that is, if a command enables src

and dst mac validations, and a second command enables IP validation only,

the src and dst mac validations are disabled as a result of the second

command.

Step3 exit Return to privileged EXEC mode.

Step4 show ip arp inspection vlan

vlan-range Verify your settings.

Step5 copy running-config startup-config (Optional) Save your entries in the configuration file.