Ip arp inspection validate – LevelOne FGL-2870 User Manual

General Security Measures

4-193

4

• If static mode is not enabled, packets are first validated against the specified

ARP ACL. Packets matching a deny rule are dropped. All remaining packets
are validated against the address bindings in the DHCP snooping database.

Example

ip arp inspection validate

This command specifies additional validation of address components in an ARP
packet. Use the no form to restore the default setting.

Syntax

ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac}
no ip arp inspection validate

• dst-mac - Checks the destination MAC address in the Ethernet header

against the target MAC address in the ARP body. This check is performed
for ARP responses. When enabled, packets with different MAC addresses
are classified as invalid and are dropped.

• ip - Checks the ARP body for invalid and unexpected IP addresses.

Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast
addresses. Sender IP addresses are checked in all ARP requests and
responses, while target IP addresses are checked only in ARP responses.

• src-mac - Checks the source MAC address in the Ethernet header

against the sender MAC address in the ARP body. This check is
performed on both ARP requests and responses. When enabled, packets
with different MAC addresses are classified as invalid and are dropped.

Default Setting

No additional validation is performed

Command Mode

Global Configuration

Command Usage

By default, ARP Inspection only checks the IP-to-MAC address bindings
specified in an ARP ACL or in the DHCP Snooping database.

Example

Console(config)#ip arp inspection filter sales vlan 1
Console(config)#

Console(config)#ip arp inspection validate dst-mac
Console(config)#