ARP Packet Validation
Validates ARP packets to avoid trac interruption or loss.
To avoid trac interruption or loss, ARP Packet Validation allows the user to detect and drop ARP packets that do not pass the ARP
validation process. ARP Packet Validation is disabled by default and can be enabled at the global conguration level. This functionality
can be congured for the destination MAC address, the IP address and the source MAC address or with a combination of these
parameters. The Ethernet header contains the destination MAC address and source MAC address, while the ARP packet contains the
sender hardware address and target hardware address.
Follow these steps to perform checks on the incoming ARP packets.
1. Enter the global conguration mode.
2. Run the ip arp inspection validate [dst-mac | ip | src-mac] command to perform a check on any incoming ARP packets. Use
one of the following parameters to run the validation check:
• dst-mac
The destination MAC address in the Ethernet header must be the same as the target hardware address in the ARP body.
This validation is performed for the ARP response packet. When the destination MAC address validation is enabled, the
packets with dierent MAC addresses are classied as invalid and are dropped.
• src-mac
The source MAC address in the Ethernet header and the sender hardware address in the ARP body must be the same. This
validation is performed for the ARP request and response packets. When the source MAC validation is enabled, the packets
with
dierent MAC addresses are classied as invalid and are dropped.
• ip
Each ARP packet has a sender IP address and target IP address. The target IP address cannot be invalid or an unexpected
IP address in the ARP response packet. The sender IP address cannot be an invalid or an unexpected IP address in the
ARP request and response packets. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. When
the IP address validation is enabled, the packets with invalid and unexpected IP addresses are classied as invalid and are
dropped.
The following example shows ARP packets being validated for the destination MAC address.
device(config)# configuration terminal
device(config)#ip arp inspection validate dst-mac
Ingress ARP packet priority
You can congure the priority of the ingress ARP packets to an optimum value that depends on your network conguration and trac
volume. Ingress ARP packets have a default priority value of 4. At the default priority value, ingress ARP packets may get dropped
because of high trac volume or non-ARP packets with higher priority values. This can cause devices to become unreachable. If the
ingress ARP packets have higher priority values than the default priority value, a high volume of ARP trac may lead to drops in control
trac. This may cause trac loops in the network.
NOTE
You cannot change the priority of the ingress ARP packets on the management port.
Conguring the priority of ingress ARP packets
To congure the priority of ingress ARP packets, use the arp-internal-priority priority-value command in global conguration
mode.
Conguring IP parameters - Layer 3 switches
FastIron Ethernet Switch Layer 3 Routing
58 53-1003627-04
To Next Page
Loading...
Need help?
General
