CANOGA PERKINS CanogaOS Command Reference User Manual

CanogaOS Command Line Reference

Revision 1.02

Proprietary & Confidential Canoga Pertkins Metro Ethernet Switches

Page 691 of 855

Command Syntax

ip arp inspection validate [src-mac] [dst-mac] [ip]
no ip arp inspection validate [src-mac] [dst-mac] [ip]

src-mac

(Optional) Checks the source MAC address in the Ethernet header against the
sender’s MAC address in the ARP body. This checking is done against both ARP
requests and responses.
Note When

src-mac is enabled, packets with different MAC addresses are

classified as invalid and are dropped.

dst-mac

(Optional) Checks the destination MAC address in the Ethernet header against the
target MAC address in ARP body. This checking is done for ARP responses.
Note When

dst-mac is enabled, the packets with different MAC addresses are

classified as invalid and are dropped.

ip

(Optional) Checks the ARP body for invalid and unexpected IP addresses.
Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
The sender IP addresses are checked in all ARP requests and responses and
target IP addresses are checked only in ARP responses.

Default

Checks are disabled.

Command Mode

Global configuration

Usage

When enabling the checks, specify at least one of the keywords (src-mac, dst-mac, and ip) on the
command line. Each command overrides the configuration of the previous command. If a command
enables src and dst mac validations, and a second command enables IP validation only, the src and
dst mac validations are disabled as a result of the second command.
The no form of this command disables only the specified checks. If none of the check options are
enabled, all the checks are disabled.

Examples

This example show how to enable the source MAC validation:
Switch# configure terminal
Switch(config)# ip arp inspection validate src-mac

Related Commands

arp access-list
show ip arp inspection