ip arp inspection validate
To enable additional Dynamic ARP Inspection (DAI) validation, use the ip arp inspection validate command.
To disable additional DAI, use the no form of this command.
ip arp inspection validate {dst-mac [ip] [src-mac]}
ip arp inspection validate {[dst-mac] ip [src-mac]}
ip arp inspection validate {[dst-mac] [ip] src-mac}
no ip arp inspection validate {dst-mac [ip] [src-mac]}
no ip arp inspection validate {[dst-mac] ip [src-mac]}
no ip arp inspection validate {[dst-mac] [ip] src-mac}
Syntax Description
(Optional) Enables validation of the destination MAC
address in the Ethernet header against the target MAC
address in the ARP body for ARP responses. The
device classifies packets with different MAC
addresses as invalid and drops them.
dst-mac
(Optional) Enables validation of the ARP body for
invalid and unexpected IP addresses. Addresses
include 0.0.0.0, 255.255.255.255, and all IP multicast
addresses. The device checks the sender IP addresses
in all ARP requests and responses, and checks the
target IP addresses only in ARP responses.
ip
(Optional) Enables validation of the source MAC
address in the Ethernet header against the sender
MAC address in the ARP body for ARP requests and
responses. The devices classifies packets with
different MAC addresses as invalid and drops them.
src-mac
Command Default
None
Command Modes
Global configuration
Command History
ModificationRelease
This command was introduced.4.0(1)
Cisco Nexus 7000 Series Security Command Reference
385
I Commands
ip arp inspection validate
To Next Page
Loading...
