Configuring Dynamic ARP Inspection
How to Configure Dynamic ARP Inspection
Performing Validation Checks
Command
1.
configure terminal
2.
ip arp inspection validate
{[src-mac] [dst-mac] [ip]}
3.
exit
Purpose
Enters global configuration mode.
Performs a specific check on incoming ARP packets. By default, no checks are
performed.
src-mac—Checks the source MAC address in the Ethernet header against the
sender MAC address in the ARP body. This check is performed on both ARP
requests and responses. When enabled, packets with different MAC addresses
are classified as invalid and are dropped.
dst-mac—Checks the destination MAC address in the Ethernet header against
the target MAC address in ARP body. This check is performed for ARP
responses. When enabled, packets with different MAC addresses are classified
as invalid and are dropped.
ip—Checks the ARP body for invalid and unexpected IP addresses. Addresses
include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP
addresses are checked in all ARP requests and responses, and target IP
addresses are checked only in ARP responses.
You must specify at least one of the keywords. Each command overrides the
configuration of the previous command; that is, if a command enables src and dst
mac validations, and a second command enables IP validation only, the src and dst
mac validations are disabled as a result of the second command.
Returns to privileged EXEC mode.
413