CANOGA PERKINS CanogaOS Command Reference User Manual
Page 691
CanogaOS Command Line Reference
Revision 1.02
Proprietary & Confidential Canoga Pertkins Metro Ethernet Switches
Page 691 of 855
Command Syntax
ip arp inspection validate [src-mac] [dst-mac] [ip]
no ip arp inspection validate [src-mac] [dst-mac] [ip]
src-mac
(Optional) Checks the source MAC address in the Ethernet header against the
sender’s MAC address in the ARP body. This checking is done against both ARP
requests and responses.
Note When
src-mac is enabled, packets with different MAC addresses are
classified as invalid and are dropped.
dst-mac
(Optional) Checks the destination MAC address in the Ethernet header against the
target MAC address in ARP body. This checking is done for ARP responses.
Note When
dst-mac is enabled, the packets with different MAC addresses are
classified as invalid and are dropped.
ip
(Optional) Checks the ARP body for invalid and unexpected IP addresses.
Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
The sender IP addresses are checked in all ARP requests and responses and
target IP addresses are checked only in ARP responses.
Default
Checks are disabled.
Command Mode
Global configuration
Usage
When enabling the checks, specify at least one of the keywords (src-mac, dst-mac, and ip) on the
command line. Each command overrides the configuration of the previous command. If a command
enables src and dst mac validations, and a second command enables IP validation only, the src and
dst mac validations are disabled as a result of the second command.
The no form of this command disables only the specified checks. If none of the check options are
enabled, all the checks are disabled.
Examples
This example show how to enable the source MAC validation:
Switch# configure terminal
Switch(config)# ip arp inspection validate src-mac
Related Commands
arp access-list
show ip arp inspection