Arp inspection commands, Ip arp inspection, Table 4-48 – LevelOne FGL-2870 User Manual

Command Line Interface

4-190

4

ARP Inspection Commands

ARP Inspection validates the MAC-to-IP address bindings in Address Resolution
Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings,
which forms the basis for certain “man-in-the-middle” attacks. This is accomplished
by intercepting all ARP requests and responses and verifying each of these packets
before the local ARP cache is updated or the packet is forwarded to the appropriate
destination, dropping any invalid ARP packets.

ARP Inspection determines the validity of an ARP packet based on valid IP-to-MAC
address bindings stored in a trusted database – the DHCP snooping binding
database. ARP Inspection can also validate ARP packets against user-configured
ARP access control lists (ACLs) for hosts with statically configured IP addresses.

This section describes commands used to configure ARP Inspection.

ip arp inspection

This command enables ARP Inspection globally on the switch. Use the no form to
disable this function.

Syntax

[no] ip arp inspection

Default Setting

Disabled

Table 4-48 ARP Inspection Commands

Command

Function

Mode

Page

ip arp inspection

Enables ARP Inspection globally on the switch

GC

4-190

ip arp inspection vlan

Enables ARP Inspection for a specified VLAN or range of VLANs GC

4-191

ip arp inspection filter

Specifies an ARP ACL to apply to one or more VLANs

GC

4-192

ip arp inspection

validate

Specifies additional validation of address components in an ARP

packet

GC

4-193

ip arp inspection

log-buffer logs

Sets the maximum number of entries saved in a log message,

and the rate at these messages are sent

GC

4-194

ip arp inspection trust

Sets a port as trusted, and thus exempted from ARP Inspection IC

4-195

ip arp inspection limit

Sets a rate limit for the ARP packets received on a port

IC

4-195

show ip arp inspection

configuration

Displays the global configuration settings for ARP Inspection

PE

4-196

show ip arp inspection

interface

Shows the trust status and inspection rate limit for ports

PE

4-196

show ip arp inspection

vlan

Shows configuration setting for VLANs, including ARP

Inspection status, the ARP ACL name, and if the DHCP

Snooping database is used after ACL validation is completed

PE

4-197

show ip arp inspection

log

Shows information about entries stored in the log, including the

associated VLAN, port, and address components

PE

4-197

show ip arp inspection

statistics

Shows statistics about the number of ARP packets processed,

or dropped for various reasons

PE

4-198