26-10
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 26 Configuring Dynamic ARP Inspection
How to Configure Dynamic ARP Inspection
Performing Validation Checks
Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 ip arp inspection validate
{[src-mac] [dst-mac] [ip]}
Performs a specific check on incoming ARP packets. By default, no checks are
performed.
src-mac—Checks the source MAC address in the Ethernet header against the
sender MAC address in the ARP body. This check is performed on both ARP
requests and responses. When enabled, packets with different MAC addresses
are classified as invalid and are dropped.
dst-mac—Checks the destination MAC address in the Ethernet header against
the target MAC address in ARP body. This check is performed for ARP
responses. When enabled, packets with different MAC addresses are classified
as invalid and are dropped.
ip—Checks the ARP body for invalid and unexpected IP addresses. Addresses
include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP
addresses are checked in all ARP requests and responses, and target IP addresses
are checked only in ARP responses.
You must specify at least one of the keywords. Each command overrides the
configuration of the previous command; that is, if a command ena bles src and dst
mac validations, and a second command enables IP validation only, the src and dst
mac validations are disabled as a result of the second command.
Step 3 exit Returns to privileged EXEC mode.