Cisco Systems 2960 Manual De Usuario
21-13
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 21 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP
packets. This procedure is optional.
packets. This procedure is optional.
To disable checking, use the no ip arp inspection validate [src-mac] [dst-mac] [ip] global
configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure
packets, use the show ip arp inspection statistics privileged EXEC command.
configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure
packets, use the show ip arp inspection statistics privileged EXEC command.
Configuring the Log Buffer
When the switch drops a packet, it places an entry in the log buffer and then generates system messages
on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer.
Each log entry contains flow information, such as the receiving VLAN, the port number, the source and
destination IP addresses, and the source and destination MAC addresses.
on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer.
Each log entry contains flow information, such as the receiving VLAN, the port number, the source and
destination IP addresses, and the source and destination MAC addresses.
A log-buffer entry can represent more than one packet. For example, if an interface receives many
packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry
in the log buffer and generates a single system message for the entry.
packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry
in the log buffer and generates a single system message for the entry.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
ip arp inspection validate
{[src-mac] [dst-mac] [ip]}
{[src-mac] [dst-mac] [ip]}
Perform a specific check on incoming ARP packets. By default, no checks are
performed.
performed.
The keywords have these meanings:
•
For src-mac, check the source MAC address in the Ethernet header against the
sender MAC address in the ARP body. This check is performed on both ARP
requests and responses. When enabled, packets with different MAC addresses
are classified as invalid and are dropped.
sender MAC address in the ARP body. This check is performed on both ARP
requests and responses. When enabled, packets with different MAC addresses
are classified as invalid and are dropped.
•
For dst-mac, check the destination MAC address in the Ethernet header against
the target MAC address in ARP body. This check is performed for ARP
responses. When enabled, packets with different MAC addresses are classified
as invalid and are dropped.
the target MAC address in ARP body. This check is performed for ARP
responses. When enabled, packets with different MAC addresses are classified
as invalid and are dropped.
•
For ip, check the ARP body for invalid and unexpected IP addresses. Addresses
include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP
addresses are checked in all ARP requests and responses, and target IP addresses
are checked only in ARP responses.
include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP
addresses are checked in all ARP requests and responses, and target IP addresses
are checked only in ARP responses.
You must specify at least one of the keywords. Each command overrides the
configuration of the previous command; that is, if a command enables src and dst
mac validations, and a second command enables IP validation only, the src and dst
mac validations are disabled as a result of the second command.
configuration of the previous command; that is, if a command enables src and dst
mac validations, and a second command enables IP validation only, the src and dst
mac validations are disabled as a result of the second command.
Step 3
exit
Return to privileged EXEC mode.
Step 4
show ip arp inspection vlan
vlan-range
vlan-range
Verify your settings.
Step 5
copy running-config
startup-config
startup-config
(Optional) Save your entries in the configuration file.