Cisco Systems 78-15328-01 set security acl arp-inspection

2-506

Catalyst 6500 Series Switch Command Reference—Release7.6

78-15328-01

Chapter2 Catalyst 6500 Series Switch and ROM Monitor Commands

set security acl arp-inspection

set security acl arp-inspection

To configure Address Resolution Protocol (ARP) inspection features, use the set security acl

arp-inspection command.

set security acl arp-inspection {match-mac | address-validation}

{enable | [drop [log]] | disable}

Syntax Description

Defaults The MAC address matching feature and the address validation feature are disab led.

Command Types Switch command.

Command Modes Privileged.

Usage Guidelines When you enter the set security acl arp-inspection match-mac enable command, the system drops

packets in which the source Ethernet address in the Ethernet header is not the same as the source MAC

address in the ARP header.

When you enter the set security acl arp-inspection address-validation enable command, the system

drops packets that have illegal IP or MAC addresses.

The following IP addresses are illegal:

•0.0.0.0

•255.255.255.255

•Class D multicast IP addresses

The following MAC addresses are illegal:

•00-00-00-00-00-00

•Multicast MAC addresses

•ff-ff-ff-ff-ff-ff

Note If you do not enter the drop keyword, the system only generates a syslog message.

match-mac Specifies the MAC address matching feature.

address-validation Specifies the address validation feature.

enable Enables the specified ARP inspection feature.

drop (Optional) Indicates to drop packets.

log (Optional) Enables logging.

disable Disables the specified ARP inspection feature.

Contents

Main Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page xxiv A Acronyms Preface Audience Organization Related Documentation Conventions Obtaining Documentation Cisco.com Documentation CD-ROM Ordering Documentation Documentation Feedback Obtaining Technical Assistance Cisco.com Technical Assistance Center Cisco TAC Website Cisco TAC Escalation Center Obtaining Additional Publications and Information CHAPTER Command-Line Interfaces Switch CLI Accessing the Switch CLI Accessing the Switch CLI Through the Console Port (EIA/TIA-232) Accessing the Switch CLI Through Telnet Operating the Switch CLI Accessing the Command Modes Using Command-Line Processing Using the Command-Line Editing Features Moving Around on the Command Line Completing a Partial Command Name Pasting in Buffer Entries Editing Command Lines That Wrap Deleting Entries Scrolling Down a Line or a Screen Scrolling to Specified Text Redisplaying the Current Command Line Transposing Mistyped Characters Controlling Capitalization Designating a Keystroke as a Command Entry Using Command Aliases Using History Substitution 1-9 Accessing Command Help Top-Level Commands and Command Categories Command Categories Context-Sensitive Help Designating Modules, Ports, and VLANs Designating MAC Addresses, IP and IPX Addresses, and IP Aliases Using Command Completion Features Using Command Self-Repeat Using Keyword Lookup Using Partial Keyword Lookup Using Command Completion ROM Monitor CLI Accessing the ROM Monitor CLI Operating the ROM Monitor CLI Page CHAPTER Catalyst 6500 Series Switch and ROM Monitor Commands alias Page boot cd clear acllog clear alias clear arp clear banner motd clear boot auto-config clear boot device clear boot system clear cam clear cam notification clear channel statistics clear config Page clear config pvlan clear cops Page clear counters clear crypto key rsa clear dot1x config clear dot1x guest-vlan clear gmrp statistics clear gvrp statistics clear igmp statistics clear ip alias clear ip dns domain clear ip dns server clear ip permit Page clear ip route clear kerberos clients mandatory clear kerberos credentials forward clear kerberos creds clear kerberos realm clear kerberos server clear key config-key clear l2protocol-tunnel cos clear l2protocol-tunnel statistics clear lacp-channel statistics clear lda Page clear localuser clear log clear log command clear logging buffer clear logging level Page clear logging server clear mls cef clear mls entry Page clear mls entry cef adjacency clear mls exclude protocol clear mls multicast statistics clear mls nde flow clear mls statistics Page clear mls statistics entry Page clear module password clear multicast router clear ntp server clear ntp timezone clear pbf clear pbf-map Page clear port broadcast clear port cops clear port host clear port qos cos clear port security clear pvlan mapping clear qos acl Page clear qos config clear qos cos-dscp-map clear qos dscp-cos-map clear qos ipprec-dscp-map clear qos mac-cos clear qos map Page clear qos policed-dscp-map clear qos policer Page clear qos statistics clear radius clear rcp clear rgmp statistics clear security acl Page clear security acl capture-ports clear security acl log flow clear security acl map Page clear snmp access clear snmp access-list clear snmp community clear snmp community-ext clear snmp group clear snmp ifalias clear snmp notify clear snmp targetaddr clear snmp targetparams clear snmp trap clear snmp user clear snmp view clear spantree detected-protocols clear spantree mst clear spantree portcost clear spantree portinstancecost Page clear spantree portinstancepri clear spantree portpri clear spantree portvlancost Page clear spantree portvlanpri clear spantree root Page clear spantree statistics Page clear spantree uplinkfast clear tacacs key clear tacacs server clear timezone clear top clear trunk clear vlan Page clear vlan counters clear vlan mapping Page clear vmps rcp clear vmps server clear vmps statistics clear vtp pruneeligible clear vtp statistics commit Page commit lda configure 2-144 Related Commands copy show config confreg 2-146 Related Commands show boot context 2-148 copy Page 2-151 These examples show how to use the copy command to download a configuration from a TFTP server: 2-152 This example shows how to copy the running configuration to an rcp server for stora ge: 2-153 This example shows how to upload an image from a remote host into Flash using an rcp server: This example shows how to copy the ACL configuration to a bootflash file manually: Page delete dev dirROM monitor dirswitch Page disable disconnect download Page 2-164 This example shows how to download a ROM image to module 9: 2-165 This example shows how to upgrade the EPLD image in force mode on the module in slot 5: enable format Page frame fsck Page historyROM monitor historyswitch l2trace Page Page meminfo ping Page Page pwd quit reconfirm vmps reload repeat 2-186 resetROM monitor resetswitch Page Page 2F2 restore counters rollback session set set accounting commands set accounting connect set accounting exec Page set accounting suppress set accounting system Page set accounting update set acllog ratelimit set aclmerge algo set aclmerge bdd set alias set arp Page set authentication enable Page set authentication login Page set authorization commands Page set authorization enable Page set authorization exec Page set banner lcd set banner motd set banner telnet set boot auto-config set boot config-register Page Page set boot config-register auto-config Page Page set boot device Page set boot sync now set boot system flash Page set cam Page set cam notification Page Page set cdp Page set channelprotocol Page set channel vlancost Page set config acl nvram set config mode Page set cops Page set crypto key rsa set default portstatus set dot1q-all-tagged set dot1x Page Page set enablepass set errdisable-timeout Page set errordetection Page set feature agg-link-partner set feature dot1x-radius-keepalive set feature mdg set garp timer set gmrp set gmrp fwdall set gmrp registration set gmrp timer Page set gvrp set gvrp applicant set gvrp dynamic-vlan-creation set gvrp registration Page set gvrp timer Page set igmp set igmp fastblock set igmp fastleave set igmp flooding set igmp leave-query-type set igmp mode set igmp ratelimit Page set igmp querier Page set igmp v3-processing set inlinepower defaultallocation set interface Page Page set ip alias set ip dns set ip dns domain set ip dns server set ip fragmentation set ip http port set ip http server set ip permit Page set ip redirect set ip route 2-303 Related Commands clear ip route show ip route set ip unreachable set kerberos clients mandatory set kerberos credentials forward set kerberos local-realm set kerberos realm set kerberos server set kerberos srvtab entry Page set kerberos srvtab remote set key config-key set l2protocol-tunnel cos set l2protocol-tunnel trunk set lacp-channel system-priority set lcperroraction set lda Page Page set length set localuser Page set logging buffer set logging console set logging history set logging level Page Page set logging server Page set logging session set logging telnet set logging timestamp set logout set mls agingtime Page Page set mls bridged-flow-statistics set mls cef load-balance set mls cef per-prefix-statistics set mls exclude protocol set mls flow Page set mls nde Page Page Page set mls rate set mls statistics protocol set mls verify Page set module Page set module name set module power set module shutdown set msfcautostate Page set msmautostate set multicast router set ntp broadcastclient set ntp broadcastdelay set ntp client set ntp server set ntp summertime Page set ntp timezone set password set pbf Page set pbf-map Page set port arp-inspection set port auxiliaryvlan Page set port broadcast Page set port channel Page Page set port cops set port debounce Page set port disable set port dot1q-all-tagged Page set port dot1qtunnel Page set port dot1x Page Page set port duplex set port enable set port errdisable-timeout set port flowcontrol Page set port gmrp set port gvrp Page set port host set port inlinepower set port jumbo set port l2protocol-tunnel Page set port lacp-channel Page set port macro 2-409 This example shows how to execute the Cisco Softphone configuration macro: Page set port membership Page set port name set port negotiation set port protocol Page set port qos Page set port qos autoqos Page set port qos cos set port qos policy-source Page set port qos trust Page set port qos trust-device set port qos trust-ext set port rsvp dsbm-election set port security Page Page set port speed set port sync-restart-delay set port trap set port unicast-flood Page set port voice interface dhcp Page set power redundancy set prompt set protocolfilter set pvlan Page set pvlan mapping Page set qos set qos acl default-action Page set qos acl ip Page Page Page Page set qos acl ipx Page Page set qos acl mac Page set qos acl map Page set qos autoqos set qos bridged-microflow-policing set qos cos-dscp-map set qos drop-threshold Page set qos dscp-cos-map set qos ipprec-dscp-map Page set qos mac-cos set qos map Page Page set qos policed-dscp-map set qos policer Page Page set qos policy-source Page set qos rsvp Page set qos rxq-ratio Page set qos statistics export set qos statistics export aggregate set qos statistics export destination set qos statistics export interval set qos statistics export port set qos txq-ratio Page set qos wred Page set qos wrr Page set radius attribute set radius deadtime set radius key set radius retransmit set radius server set radius timeout set rcp username set rgmp set rspan Page Page set security acl adjacency set security acl arp-inspection Page set security acl capture-ports set security acl feature ratelimit set security acl ip Page Page Page Page Page set security acl ipx Page Page set security acl log set security acl mac Page set security acl map Page set snmp set snmp access Page set snmp access-list Page set snmp buffer set snmp chassis-alias set snmp community Page set snmp community-ext Page set snmp extendedrmon netflow set snmp group set snmp ifalias set snmp notify set snmp rmon set snmp rmonmemory set snmp targetaddr Page set snmp targetparams Page set snmp trap Page Page set snmp user Page set snmp view Page set span Page Page set spantree backbonefast set spantree bpdu-filter set spantree bpdu-guard set spantree bpdu-skewing set spantree channelcost Page set spantree channelvlancost set spantree defaultcostmode Page set spantree disable Page set spantree enable Page set spantree fwddelay Page set spantree global-default Page set spantree guard Page set spantree hello Page set spantree link-type set spantree macreduction set spantree maxage Page set spantree mode Page set spantree mst set spantree mst config Page set spantree mst link-type set spantree mst maxhops set spantree mst vlan set spantree portcost Page set spantree portfast Page set spantree portfast bpdu-filter set spantree portfast bpdu-guard set spantree portinstancecost Page set spantree portinstancepri Page set spantree portpri set spantree portvlancost Page Page set spantree portvlanpri Page set spantree priority Page set spantree root Page Page set spantree uplinkfast Page set summertime Page set system baud set system contact set system core-dump set system core-file set system countrycode set system crossbar-fallback set system highavailability set system highavailability versioning Page set system location set system modem set system name set system supervisor-update Page set system switchmode allow Page set system syslog-dump set system syslog-file set tacacs attempts set tacacs directedrequest set tacacs key set tacacs server set tacacs timeout set test diagfail-action set test diaglevel set time set timezone set traffic monitor set trunk Page Page set udld Page set udld aggressive-mode set udld interval set vlan Page Page Page set vlan mapping Page set vmps downloadmethod set vmps downloadserver set vmps server Page set vmps state set vtp Page set vtp pruneeligible show accounting 2-663 This example shows the configuration details of a switch with TACACS+ accounting enabled: Page show acllog show aclmerge show alias show arp show authentication show authorization show banner show boot show boot device show cam 2-675 This example shows how to display dynamic CAM entries for VLAN 1: This example shows routers listed as the CAM entries: Related Commands clear cam set cam show cam agingtime show config show cam agingtime show cam count show cam msfc show cam notification 2-680 This example shows how to display CAM notification information for ports 1-6 on modu le 2: This example shows how to display CAM notification intervals: This example shows how to display CAM notification history information: This example shows how to display CAM notification history size information: Page show cdp 2-683 This example shows how to display CDP information about neighboring systems: This example shows how to display duplex information about neighboring systems: This example shows how to display VLAN information about neighboring systems: 2-684 This example shows how to display capability information about neighboring syst ems: Related Commands set cdp This example shows how to display CDP information for all ports: show channel 2-686 This example shows how to display channel information for all channels: This example shows how to display port information for a specific channel: This example shows how to display port information for all channels: 2-687 This example shows how to display PAgP information for all channels: This example shows how to display PAgP information for a specific channel: This example shows how to display statistics for a specific channel: 2-688 This example shows how to display statistics for all channels: 2-689 Related Commands show channel group show port channel show channel group 2-691 This example shows how to display group information: 2-692 2-693 Related Commands show channel show port channel show channel hash show channel mac show channelprotocol show channel traffic show config 2-699 2-700 2-701 This example shows how to display default and nondefault configuration information: 2-702 This example shows how to display nondefault system configuration information: This example shows how to display all system default and nondefault configuration inf orm ati on : This example shows how to display module nondefault configuration information: Page show config mode show config qos acl show cops 2-707 This example shows how to display COPS RSVP status and configuration information: This example shows how to display the ports assigned to each role: This example shows how to display only IP addresses, not IP aliases: Page show counters 2-710 This example shows how to display the counters for the supervisor engine: Page Page Page Page show crypto key show default show dot1q-all-tagged show dot1x show dvlan statistics show environment 2-721 This example shows how to display temperature information: 2-722 This example shows how to display the inline power for all modules: This example shows how to display the inline power status for a specific module: Page Page show errdisable-timeout show errordetection show fabric channel Page Page show file show flash 2-732 2-733 Related Commands download resetswitch show garp timer show gmrp configuration show gmrp statistics show gmrp timer show gvrp configuration Page show gvrp statistics Page show ifindex show igmp flooding show igmp leave-query-type show igmp mode show igmp querier information show igmp ratelimit-info show igmp statistics Page show imagemib show interface Page show ip alias show ip dns Page show ip http Page show ip permit Page 2s2 show ip route Page show kerberos Page show l2protocol-tunnel statistics Page show lacp-channel Page 2-768 This example shows how to display all ports that are assigned to an administrative key: Page show lcperroraction show lda Page 2-773 This example shows how to display uncommitted ASLB information: This example shows how to display ASLB information for the source IP address in shor t fo rm at: Page show localuser show log Page show log command show logging Page show logging buffer show mac Page Page show microcode show mls Page show mls acl-route show mls cef interface Page show mls cef mac show mls cef summary Page show mls entry Page Page 2-797 For destination-only flow: For destination-source flow: For destination-source: Destination-only flow: 2-798 2-799 Related Commands clear mls statistics entry show mls entry cef 2-801 Examples This example shows how to display information for all CEF entries: These examples show how to display information for a specific entry type: Page Page show mls entry netflow-route Page show mls exclude protocol show mls multicast Page 2-809 This example shows how to display statistical information on a switch configured with the 2-810 Note The display for the show mls multicast entry command has been modified to fit the page. This example shows how to display IP MMLS entry information on a switch configured with the Table 2 -46 describes the fields in the show mls multicast entry command output. Table2-46 show mls multicast entry Command Output Fields Page show mls nde show mls netflow-route show mls pbr-route show mls statistics Page 2-817 Examples This example shows how to display the statistics for all protocol cat egories: This example shows how to display the statistics for all protocol categories: This example shows how to display the up time and aging time on a Supervisor Engine 2: This example shows how to display the MLS statistical entries on a Supervisor Engin e 2: Page show mls verify show module 2-821 This example shows the display for an 8-port T1/E1 ISDN PRI services-configured module: Page show moduleinit Page show msfcautostate show msmautostate show multicast group Page show multicast group count show multicast protocols status show multicast router Page show multicast v3-group show netstat Page Page Page Page Page Page show ntp Page show pbf 2-844 This example shows how to display statistics for PFC2: This example shows how to display statistics for adjacency a_1: This example shows how to display the adjacency map for PFC2: This example shows how to display the adjacency map for adjacency a_1: show pbf-map show port 2-847 Examples This example shows how to display the status and counters for a specific module and port: This example shows port information on a 48-port 10/100BASE-TX module with i nli ne p ower: 2-848 2-849 2-850 Page Page Page show port arp-inspection show port auxiliaryvlan Page show port broadcast Page show port capabilities 2-860 This example shows the port capabilities on an 8-port T1/E1 ISDN PRI services configured-module: 2-861 This example shows the port capabilities on an Intrusion Detection System Module: Page Page show port cdp Page show port channel 2-867 Examples This example shows how to display Ethernet channeling informat ion fo r mod ul e 1: This example shows how to display port statistics: This example shows how to display port information: 2-868 Page Page Page show port cops Page show port counters Page show port debounce show port dot1q-all-tagged show port dot1q-ethertype show port dot1qtunnel show port dot1x Page show port errdisable-timeout Page show port flowcontrol Page show port inlinepower show port jumbo show port l2protocol-tunnel show port lacp-channel 2-890 This example shows how to display LACP channel information for all ports on module 4: This example shows how to display LACP channel information for port 7 on module 4: This example shows how to display detailed LACP channel information for port 7 on module 4: This example shows how to display LACP channel statistics for all ports on module 4: Page show port mac Page show port mac-address 2-895 show port negotiation show port prbs show port protocol show port qos 2-900 Page show port rsvp show port security 2-904 This example shows how to display system-wide configuration information: Page show port spantree show port status show port sync-restart-delay show port tdr Page show port trap show port trunk Page show port unicast-flood show port voice 2-916 2-917 Related Commands se t po rt voi ce int erf ace dhcp show port voice fdl show port voice interface show port voice active 2-919 This example shows how to display regular calls: This example shows how to display calls for a specified port: 2-920 Page show port voice fdl Page show port voice interface show proc 2-926 This example shows how to display process information: Page Page show protocolfilter show pvlan Page show pvlan capability Page show pvlan mapping Page show qos acl editbuffer show qos acl info Page show qos acl map Page show qos acl resource-usage show qos bridged-microflow-policing show qos info 2-944 This example shows how to display QoS-related NVRAM receive-threshold information: 2-945 This example shows how to display all QoS-related NVRAM threshold information: This example shows how to display the current QoS runtime information: 2-946 This example shows another display of the current QoS runtime information: 2-947 This example shows how to display the current QoS configuration information: 2-948 This example shows another display of the current QoS configuration information : Related Commands set qos show qos mac-cos Page show qos maps 2-952 This example shows how to display the ipprec-dscp-map map: This example shows how to display the dscp-cos-map map: This example shows how to display the policed-dscp-map map: This example shows how to display all maps: 2-953 This example shows how to display normal-rate maps: Related Commands clear qos cos-dscp-map clear qos policed-dscp-map set qos map show qos policer Page show qos policy-source show qos rsvp show qos statistics Page show qos statistics export info show qos status show radius Page show rcp show reset show rgmp group show rgmp statistics show rspan 2-969 Related Commands se t rspan show running-config 2-971 2-972 This example shows how to display the nondefault system configuration for module 3: Related Commands clear config show startup-config write show security acl 2-974 Page show security acl arp-inspection show security acl capture-ports show security acl feature ratelimit show security acl log Page Page show security acl map show security acl resource-usage show snmp Page show snmp access Page show snmp access-list show snmp buffer show snmp community 2-991 Related Commands clear snmp community set snmp community show snmp context show snmp counters Page Page Page show snmp engineid show snmp group Page show snmp ifalias show snmp notify Page show snmp rmonmemory show snmp targetaddr Page show snmp targetparams Page show snmp user Page show snmp view Page show span Page show spantree 2-1015 Page Page show spantree backbonefast show spantree blockedports Page show spantree bpdu-filter show spantree bpdu-guard show spantree bpdu-skewing Page show spantree conflicts Page show spantree defaultcostmode show spantree guard Page show spantree mapping 2-1031 This example shows how to display mappings configured on the local switch: Related Commands se t v lan show spantree mistp-instance Page show spantree mst Page show spantree mst config Page show spantree portfast show spantree portinstancecost show spantree portvlancost show spantree statistics 2-1042 2-1043 This example shows how to display instance-specific information: 2-1044 This example shows how to display MST instance-specific information: Page Page Page show spantree summary 2-1049 This example shows how to display non-VLAN-specific information only: This example shows how to display a summary of spanning tree instance inf orm ation : 2-1050 This example shows how to display a summary of spanning tree MST instanc e info rm atio n: Related Commands show spantree This example shows how to display a summary of spanning tree noninstance-specific MST inform ation: show spantree uplinkfast Page show startup-config 2-1054 Page show summertime show system 2-1058 Page Page show system highavailability show system supervisor-update show system switchmode show tacacs Page show tech-support Page Page show test 2-1070 This example shows the error display for module 3: This example shows the display when errors are reported by the LCP for module 3: 2-1071 This example shows the display if you do not specify a module: This example shows how to display diagnostic level status: Page Page show time show timezone show top Page show top report Page show traffic show trunk 2-1082 Examples This example shows how to display trunking information for the switc h: This example shows how to display detailed information about the specified trunk port: Page show udld Page show users show version 2-1088 This example shows how to display version information for a specific module: This example shows how to display the software and hardware versions on systems configured with the Page show vlan 2-1091 2-1092 This example shows how to display information for a specific VLAN and type: This example shows how to display information for nontrunk ports only on a specific VL AN : This example shows how to display extended-range VLANs: Page Page show vlan counters Page show vmps Page show vmps mac show vmps statistics Page show vmps vlan show vtp domain Page show vtp statistics Page slip squeeze stack switch switch console switch fabric sync sysret telnet test cable-diagnostics Page test snmp trap traceroute Page Page unalias undelete unset=varname varname= verify wait whichboot write 2-1130 Examples This example shows how to upload the system5.cfg file to the mercury host : This example shows how to upload the system5.cfg file to the mercury host: This example shows how to display the configuration file on the terminal (partial display): Page write tech-support Page Page APPENDIX A Acronyms Page Page Page Page Page INDEX Symbols Numerics A B C Page D E F G H I J K L M Page Page N O P Page Q R Page S Page Page T Page U V W