Cisco Nexus 5500 Series - Ip Arp Inspection Validate

Cisco Nexus 5500 Series

378 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

119

Cisco Nexus 5500 Series NX-OS Security Command Reference

OL-27883-02

Chapter I Commands

ip arp inspection validate

ip arp inspection validate

To enable additional Dynamic ARP Inspection (DAI) validation, use the ip arp inspection validate

command. To disable additional DAI, use the no form of this command.

ip arp inspection validate {dst-mac [ip] [src-mac]}

ip arp inspection validate {ip [dst-mac] [src-mac]}

ip arp inspection validate {src-mac [dst-mac] [ip]}

no ip arp inspection validate {dst-mac [ip] [src-mac]}

no ip arp inspection validate {ip [dst-mac] [src-mac]}

no ip arp inspection validate {src-mac [dst-mac] [ip]}

Syntax Description

Command Default None

Command Modes Global configuration mode

Command History

Usage Guidelines Before you use this command, make sure that you enable Dynamic Host Configuration Protocol (DHCP)

snooping on the switch by using the feature dhcp command.

You must specify at least one keyword. If you specify more than one keyword, the order is irrelevant.

When you enable source MAC validation, an ARP packet is considered valid only if the sender Ethernet

address in the packet body is the same as the source Ethernet address in the ARP frame header. When

you enable destination MAC validation, an ARP request frame is considered valid only if the target

Ethernet address is the same as the destination Ethernet address in the ARP frame header.

dst-mac (Optional) Enables validation of the destination MAC address in the

Ethernet header against the target MAC address in the ARP body for ARP

responses. The device classifies packets with different MAC addresses as

invalid and drops them.

ip (Optional) Enables validation of the ARP body for invalid and unexpected IP

addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast

addresses. The device checks the sender IP addresses in all ARP requests and

responses and checks the target IP addresses only in ARP responses.

src-mac (Optional) Enables validation of the source MAC address in the Ethernet

header against the sender MAC address in the ARP body for ARP requests

and responses. The devices classifies packets with different MAC addresses

as invalid and drops them.

Release Modification

5.2(1)N1(1) This command was introduced.

Table of Contents

Other manuals for Cisco Nexus 5500 Series

Command Reference Guide460 pages

Configuration Guide160 pages

Related product manuals

Cisco Nexus 5596

Preview: Cisco Nexus 5548P

Cisco Nexus 5548P

Preview: Cisco Nexus 5548UP

Cisco Nexus 5548UP

Preview: Cisco Nexus 5596UP

Cisco Nexus 5596UP

Preview: Cisco Nexus 5010

Cisco Nexus 5010

Preview: Cisco Nexus 5000 Series

Cisco Nexus 5000 Series

Preview: Cisco Nexus 5600 Series

Cisco Nexus 5600 Series

AP775A - Nexus Converged Network Switch 5010

Preview: Cisco Nexus 9504

Cisco Nexus 9504

Preview: Cisco Nexus 7000

Cisco Nexus 7000

Cisco Nexus 3064

Preview: Cisco Nexus 9508

Cisco Nexus 9508