6 ip arp inspection vlan – CANOGA PERKINS 9175 Command Reference User Manual

CanogaOS Command Reference

34-5

dst-mac

(Optional) Checks the destination MAC address in the Ethernet header against the

target MAC address in ARP body. This checking is done for ARP responses.

Note When

dst-mac is enabled, the packets with different MAC addresses are

classified as invalid and are dropped.

ip

(Optional) Checks the ARP body for invalid and unexpected IP addresses. Addresses

include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

The sender IP addresses are checked in all ARP requests and responses and target

IP addresses are checked only in ARP responses.

Default

Checks are disabled.

Command Mode

Global configuration

Usage

When enabling the checks, specify at least one of the keywords (src-mac, dst-mac, and ip) on the

command line. Each command overrides the configuration of the previous command. If a command

enables src and dst mac validations, and a second command enables IP validation only, the src and dst

mac validations are disabled as a result of the second command.

The no form of this command disables only the specified checks. If none of the check options are

enabled, all the checks are disabled.

Examples

This example show how to enable the source MAC validation:

Switch# configure terminal

Switch(config)# ip arp inspection validate src-mac

Related Commands

arp access-list

show ip arp inspection

34.6 ip arp inspection vlan

To enable dynamic ARP inspection (DAI) on a per-VLAN basis, use the ip arp inspection vlan

command in global configuration mode. To disable DAI, use the no form of this command.

Command Syntax

ip arp inspection vlan vlan-range

no ip arp inspection vlan vlan-range

vlan-range

VLAN number or range; valid values are from 1 to 4094.

Default

ARP inspection is disabled on all VLANs.