User Manual UMN:CLI
V8102
271
To display a registered ARP alias, use the following command.
Shows a registered ARP alias.
8.1.4 ARP Inspection
ARP provides IP communication by mapping an IP address to a MAC address. But a ma-
licious user can attack ARP caches of systems by intercepting traffic intended for other
hosts on the subnet. For example, Host B generates a broadcast message for all hosts
within the broadcast domain to obtain the MAC address associated with the IP address of
Host A. If Host C responses with an IP address of Host A (or B) and a MAC address of
Host C, Host A and Host B can use Host C’s MAC address as the destination MAC ad-
dress for traffic intended for Host A and Host B.
ARP inspection is a security feature that validates ARP packets in a network. It intercepts
and discards ARP packets with invalid IP-MAC address binding.
To enable/disable the ARP inspection, use the following command.
ip arp inspection vlan VLANS
Enables ARP inspection on a specified VLAN.
VLANS: VLAN name
no ip arp inspection vlan VLANS
Disables ARP inspection on a specified VLAN.
8.1.4.1 ARP Access List
You can exclude a given range of IP addresses from the ARP inspection using ARP ac-
cess lists. ARP access lists are created by the arp access-list command on the Global
Configuration mode. ARP access list permits or denies the ARP packets of a given range
of IP addresses.
To create/delete ARP access list (ACL), use the following command.
Opens ARP ACL configuration mode and creates an
ARP access list.
NAME: ARP access list name
Deletes an ARP access list.
After opening ARP Access List Configuration mode, the prompt changes from
SWITCH(config)# to SWITCH(config-arp-acl[NAME])#. After opening ARP ACL Configu-
ration mode, a range of IP addresses can be configured to apply ARP inspection.
By default, ARP Access List discards the ARP packets of all IP addresses and MAC ad-
dresses.
To Next Page
Loading...