Ip arp inspection validate, Ip arp inspection vlan – Microsens MS453490M Management Guide User Manual
Page 677
C
HAPTER
25
| General Security Measures
ARP Inspection
– 677 –
ip arp inspection
validate
This command specifies additional validation of address components in an
ARP packet. Use the no form to restore the default setting.
S
YNTAX
ip arp inspection validate {dst-mac [ip] [src-mac] |
ip [src-mac] | src-mac}
no ip arp inspection validate
dst-mac - Checks the destination MAC address in the Ethernet
header against the target MAC address in the ARP body. This check
is performed for ARP responses. When enabled, packets with
different MAC addresses are classified as invalid and are dropped.
ip - Checks the ARP body for invalid and unexpected IP addresses.
Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast
addresses. Sender IP addresses are checked in all ARP requests and
responses, while target IP addresses are checked only in ARP
responses.
src-mac - Checks the source MAC address in the Ethernet header
against the sender MAC address in the ARP body. This check is
performed on both ARP requests and responses. When enabled,
packets with different MAC addresses are classified as invalid and
are dropped.
D
EFAULT
S
ETTING
No additional validation is performed
C
OMMAND
M
ODE
Global Configuration
C
OMMAND
U
SAGE
By default, ARP Inspection only checks the IP-to-MAC address bindings
specified in an ARP ACL or in the DHCP Snooping database.
E
XAMPLE
Console(config)#ip arp inspection validate dst-mac
Console(config)#
ip arp inspection
vlan
This command enables ARP Inspection for a specified VLAN or range of
VLANs. Use the no form to disable this function.
S
YNTAX
[no] ip arp inspection vlan {vlan-id | vlan-range}
vlan-id - VLAN ID. (Range: 1-4093)
vlan-range - A consecutive range of VLANs indicated by the use a
hyphen, or a random group of VLANs with each entry separated by
a comma.