beautypg.com

Brocade 6910 Ethernet Access Switch Configuration Guide (Supporting R2.2.0.0) User Manual

Page 958

background image

902

Brocade 6910 Ethernet Access Switch Configuration Guide

53-1002651-02

42

ARP Inspection

Command Usage
ARP Inspection Validation

By default, ARP Inspection Validation is disabled.

Specifying at least one of the following validations enables ARP Inspection Validation globally.
Any combination of the following checks can be active concurrently.

Destination MAC – Checks the destination MAC address in the Ethernet header against
the target MAC address in the ARP body. This check is performed for ARP responses. When
enabled, packets with different MAC addresses are classified as invalid and are dropped.

IP – Checks the ARP body for invalid and unexpected IP addresses. These addresses
include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses
are checked in all ARP requests and responses, while target IP addresses are checked
only in ARP responses.

Source MAC – Checks the source MAC address in the Ethernet header against the sender
MAC address in the ARP body. This check is performed on both ARP requests and
responses. When enabled, packets with different MAC addresses are classified as invalid
and are dropped.

ARP Inspection Logging

By default, logging is active for ARP Inspection, and cannot be disabled.

The administrator can configure the log facility rate.

When the switch drops a packet, it places an entry in the log buffer, then generates a system
message on a rate-controlled basis. After the system message is generated, the entry is
cleared from the log buffer.

Each log entry contains flow information, such as the receiving VLAN, the port number, the
source and destination IP addresses, and the source and destination MAC addresses.

If multiple, identical invalid ARP packets are received consecutively on the same VLAN, then
the logging facility will only generate one entry in the log buffer and one corresponding system
message.

If the log buffer is full, the oldest entry will be replaced with the newest entry.

Parameters
These parameters are displayed:

ARP Inspection Status – Enables ARP Inspection globally. (Default: Disabled)

ARP Inspection Validation – Enables extended ARP Inspection Validation if any of the following
options are enabled. (Default: Disabled)

Dst-MAC – Validates the destination MAC address in the Ethernet header against the
target MAC address in the body of ARP responses.

IP – Checks the ARP body for invalid and unexpected IP addresses. Sender IP addresses
are checked in all ARP requests and responses, while target IP addresses are checked
only in ARP responses.

Src-MAC – Validates the source MAC address in the Ethernet header against the sender
MAC address in the ARP body. This check is performed on both ARP requests and
responses.

Log Message Number – The maximum number of entries saved in a log message.
(Range: 0-256; Default: 5)