Ip arp inspection validate, Ip arp inspection vlan – Microsens MS453490M Management Guide User Manual

C

HAPTER

25

| General Security Measures

ARP Inspection

– 677 –

ip arp inspection

validate

This command specifies additional validation of address components in an

ARP packet. Use the no form to restore the default setting.

S

YNTAX

ip arp inspection validate {dst-mac [ip] [src-mac] |

ip [src-mac] | src-mac}

no ip arp inspection validate

dst-mac - Checks the destination MAC address in the Ethernet

header against the target MAC address in the ARP body. This check

is performed for ARP responses. When enabled, packets with

different MAC addresses are classified as invalid and are dropped.
ip - Checks the ARP body for invalid and unexpected IP addresses.

Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast

addresses. Sender IP addresses are checked in all ARP requests and

responses, while target IP addresses are checked only in ARP

responses.
src-mac - Checks the source MAC address in the Ethernet header

against the sender MAC address in the ARP body. This check is

performed on both ARP requests and responses. When enabled,

packets with different MAC addresses are classified as invalid and

are dropped.

D

EFAULT

S

ETTING

No additional validation is performed

C

OMMAND

M

ODE

Global Configuration

C

OMMAND

U

SAGE

By default, ARP Inspection only checks the IP-to-MAC address bindings

specified in an ARP ACL or in the DHCP Snooping database.

E

XAMPLE

Console(config)#ip arp inspection validate dst-mac

Console(config)#

ip arp inspection

vlan

This command enables ARP Inspection for a specified VLAN or range of

VLANs. Use the no form to disable this function.

S

YNTAX

[no] ip arp inspection vlan {vlan-id | vlan-range}

vlan-id - VLAN ID. (Range: 1-4093)
vlan-range - A consecutive range of VLANs indicated by the use a

hyphen, or a random group of VLANs with each entry separated by

a comma.