Security
Dynamic ARP Inspection
Cisco 500 Series Stackable Managed Switch Administration Guide Release 1.3 420
20
• If a packet is valid, it is forwarded and the ARP cache is updated.
If the ARP Packet Validation option is selected (Properties page), the following
additional validation checks are performed:
• Source MAC — Compares the packet’s source MAC address in the
Ethernet header against the sender’s MAC address in the ARP request. This
check is performed on both ARP requests and responses.
• Destination MAC — Compares the packet’s destination MAC address in
the Ethernet header against the destination interface’s MAC address. This
check is performed for ARP responses.
• IP Addresses — Compares the ARP body for invalid and unexpected IP
addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP Multicast
addresses.
Packets with invalid ARP Inspection bindings are logged and dropped.
Up to 1024 entries can be defined in the ARP Access Control table.
Interaction Between ARP Inspection and DHCP Snooping
If DHCP Snooping is enabled, ARP Inspection uses the DHCP Snooping Binding
database in addition to the ARP access control rules. If DHCP Snooping is not
enabled, only the ARP access control rules are used.
ARP Defaults
ARP Defaults Table
Option Default State
Dynamic ARP Inspection Not enabled.
ARP Packet Validation Not enabled
ARP Inspection Enabled on
VLAN
Not enabled
Log Buffer Interval SYSLOG message generation for
dropped packets is enabled at 5
seconds interval
To Next Page
Loading...
