EasyManuals Logo

Cisco WS-C6506 User Manual

Cisco WS-C6506
1488 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #431 background imageLoading...
Page #431 background image
15-35
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 15 Configuring Access Control
Using VACLs in Your Network
ACL 'ACL4' successfully committed.
Dropping Packets Without Matching MAC Addresses
To drop the packets where the source Ethernet MAC address (in the Ethernet header) is not the same as
the source MAC address in the ARP header, perform this task in privileged mode. If you do not specify
the drop keyword, the packet is not dropped but a syslog message is displayed. Use the log keyword to
send the packets to the VACL logging facility.
Tip In most cases, using the match-mac clause to prevent ARP spoofing does not negate the need to create
a specific ARP-inspection ACL for each VLAN. The match-mac clause does not catch the more
sophisticated ARP table attacks. Most ARP spoofers change the source MAC address in the Ethernet
header to match the address in the ARP payload.
This example shows how to drop the packets where the source Ethernet MAC address is not the same as
the source MAC address in the ARP header:
Console> (enable) set security acl arp-inspection match-mac enable drop
ARP Inspection match-mac feature enabled with drop option.
Console> (enable)
Console> (enable) show security acl arp-inspection config
Match-mac feature is enabled with drop option.
Address-validation feature is disabled.
Dynamic ARP Inspection is disabled on vlan(s) 1.
Dynamic ARP Inspection is disabled on ports 5/1-48,7/1-2.
Logging for Dynamic ARP Inspection rules is disabled.
Console> (enable)
Dropping Packets with Invalid MAC or IP Addresses
The following MAC addresses are invalid:
00-00-00-00-00-00
Multicast MAC addresses (the 48th bit is set)
ff-ff-ff-ff-ff-ff (this is a special-case multicast MAC address)
The following IP addresses are invalid:
0.0.0.0
255.255.255.255
Class D (multicast) IP addresses
Task Command
Step 1
Identify or drop the packets without the matching
MAC addresses.
set security acl arp-inspection match-mac
{enable [drop [log]] | disable}
Step 2
Commit the VACL. commit security acl {acl_name | all |
adjacency}
Step 3
Display the configuration. show security acl arp-inspection config

Table of Contents

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco WS-C6506 and is the answer not in the manual?

Cisco WS-C6506 Specifications

General IconGeneral
BrandCisco
ModelWS-C6506
CategorySwitch
LanguageEnglish

Related product manuals