Chapter 23 Configuring Dynamic ARP Inspection

Configuring Dynamic ARP Inspection

Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP packets. This procedure is optional.

 

Command

Purpose

Step 1

 

 

configure terminal

Enter global configuration mode.

Step 2

 

 

ip arp inspection validate

Perform a specific check on incoming ARP packets. By default, no checks

 

{[src-mac][dst-mac] [ip]}

are performed.

 

 

The keywords have these meanings:

 

 

For src-mac, check the source MAC address in the Ethernet header

 

 

against the sender MAC address in the ARP body. This check is

 

 

performed on both ARP requests and responses. When enabled, packets

 

 

with different MAC addresses are classified as invalid and are dropped.

 

 

For dst-mac, check the destination MAC address in the Ethernet header

 

 

against the target MAC address in ARP body. This check is performed

 

 

for ARP responses. When enabled, packets with different MAC

 

 

addresses are classified as invalid and are dropped.

 

 

For ip, check the ARP body for invalid and unexpected IP addresses.

 

 

Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast

 

 

addresses. Sender IP addresses are checked in all ARP requests and

 

 

responses, and target IP addresses are checked only in ARP responses.

 

 

You must specify at least one of the keywords. Each command overrides the

 

 

configuration of the previous command; that is, if a command enables src

 

 

and dst mac validations, and a second command enables IP validation only,

 

 

the src and dst mac validations are disabled as a result of the second

 

 

command.

Step 3

 

 

exit

Return to privileged EXEC mode.

 

 

 

Step 4 show ip arp inspection vlan

Verify your settings.

 

vlan-range

 

Step 5

 

 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

 

 

 

To disable checking, use the no ip arp inspection validate [src-mac] [dst-mac] [ip] global configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure packets, use the show ip arp inspection statistics privileged EXEC command.

Configuring the Log Buffer

When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.

A log-buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a single system message for the entry.

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

23-12

OL-9775-02

Page 550
Image 550
Cisco Systems 3750E manual Configuring the Log Buffer, Ip arp inspection validate, Src-mac dst-mac ip, 23-12