arp-protect

OVERVIEW

Category:

Primary context:config

Related Commands

Usage: [no] arp-protect [trust [ethernet] PORT-LIST validate <ipdestination-macsrc-mac> vlan VLAN-ID-RANGE]

Description: Configure Dynamic ARP Protection.

To Enable/disable ARP Protection on the switch execute the [no] arp-protect command. Dynamic ARP Protection will not be enabled on any VLAN if it is not enabled on the switch.

By default Dynamic ARP Protection is disabled.

To configure which VLANs are to be protected execute the 'arp-protect vlan' command. By default Dynamic ARP Protection is disabled on all VLANs.

Dynamic ARP Protection divides ports into two categories: untrusted and trusted. ARP packets received on trusted ports are forwarded without validation.

ARP packets received on the untrusted ports of a protected VLAN are intercepted and validated before being forwarded.

By default ports are untrusted.

Dynamic ARP Protection validates ARP packets based on the IP-to-MAC binding database maintained by DHCP snooping. If DHCP snooping is not enabled then a loss of connectivity will result since the database will contain no bindings. For devices that do not use DHCP to obtain their IP configuration static bindings can be added manually to the database with the 'ip source-binding' command.

Dynamic ARP Protection can also be configured to drop ARP packets that contain invalid IP addresses or when the MAC addresses in the body of the ARP packet do not match those in the ethernet header.

Parameters:

--

Configure

ports as trusted or untrusted.

trust [ethernet] PORT-LIST

validate <ipdest-macsrc-mac> --

Configure

addiional

ARP packet

checks.

vlan VLAN-ID-RANGE

--

Enable/disable ARP

Protection

on VLANs

COMMAND STRUCTURE

[no] arp-protect trust -- Configure port(s) as trusted or untrusted. ([ethernet] PORT-LIST) (p. 66)

[no] arp-protect validate -- Configure additional ARP Protection validation checks. (p. 66)

dest-mac-- Drop any ARP response packet in which the destination MAC address in the ethernet header does not match the target MAC address in the body of the packet. (p. 66)

ip -- Drop any ARP request with an invalid sender IP address. Drop any ARP response with an invalid target IP address. Invalid IP addresses include 0.0.0.0, 255.255.255.255, all IP multicast addresses, and all class E IP addresses. (p. 66)

© 2009 Hewlett-Packard Development Company, L.P.

65