Configuring global settings for arp inspection – Brocade Communications Systems Brocate Ethernet Access Switch 6910 User Manual
Page 927
Brocade 6910 Ethernet Access Switch Configuration Guide
877
53-1002581-01
ARP Inspection
41
ARP Inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings
stored in a trusted database – the DHCP snooping binding database (see
on page 904). This database is built by DHCP snooping if it is enabled on globally on
the switch and on the required VLANs. ARP Inspection can also validate ARP packets against
user-configured ARP access control lists (ACLs) for hosts with statically configured addresses (see
Command Usage
Enabling & Disabling ARP Inspection
•
ARP Inspection is controlled on a global and VLAN basis.
•
By default, ARP Inspection is disabled both globally and on all VLANs.
•
If ARP Inspection is globally enabled, then it becomes active only on the VLANs where it
has been enabled.
•
When ARP Inspection is enabled globally, all ARP request and reply packets on
inspection-enabled VLANs are redirected to the CPU and their switching behavior handled
by the ARP Inspection engine.
•
If ARP Inspection is disabled globally, then it becomes inactive for all VLANs, including
those where inspection is enabled.
•
When ARP Inspection is disabled, all ARP request and reply packets will bypass the ARP
Inspection engine and their switching behavior will match that of all other packets.
•
Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection
configuration of any VLANs.
•
When ARP Inspection is disabled globally, it is still possible to configure ARP Inspection for
individual VLANs. These configuration changes will only become active after ARP
Inspection is enabled globally again.
•
The ARP Inspection engine in the current firmware version does not support ARP Inspection on
trunk ports.
Configuring Global Settings for ARP Inspection
Use the Security > ARP Inspection (Configure General) page to enable ARP inspection globally for
the switch, to validate address information in each packet, and configure logging.
CLI References
•
Command Usage
ARP Inspection Validation
•
By default, ARP Inspection Validation is disabled.
•
Specifying at least one of the following validations enables ARP Inspection Validation globally.
Any combination of the following checks can be active concurrently.
•
Destination MAC – Checks the destination MAC address in the Ethernet header against
the target MAC address in the ARP body. This check is performed for ARP responses. When
enabled, packets with different MAC addresses are classified as invalid and are dropped.