MES3000 Ethernet switch series 185
Enable IP address protection function for traffic filtering based on DHCP Snooping match table
and IP Source Guard static matches. Create the static record in the match table for Ethernet
12 interface: client IP address—192.168.16.14, MAC address—00:60:70:4A:AB:AF. Interface in
the 3rd VLAN group:
console# configure
console(config)# ip dhcp snooping
console(config)# ip source-guard
console(config)# ip source-guard binding 0060.704A.ABAF 3 192.168.16.14
gigabitethernet 1/0/12
5.24.5 ARP management (ARP Inspection)
ARP management (ARP Inspection) ensures protection from attacks via ARP (e.g. ARP Spoofing—
ARP traffic interception). ARP management is based on the IP and MAC address static matches defined for
VLAN group.
Port configured as untrusted for ARP Inspection should also be untrusted for DHCP
Snooping, and the match of MAC and IP addresses for this port should be statically
configured. Otherwise, the port will not respond to ARP requests.
For untrusted ports, IP and MAC address match verification is performed.
Global configuration mode commands
Command line request in global configuration mode appears as follows:
console(config)#
Table 5.221 —Global configuration mode commands
Function is disabled by
default.
Enable ARP management (ARP Inspection function).
Disable ARP management (ARP Inspection function).
ip arp inspection vlan
vlan_id
vlan_id: (1..4094)
Function is disabled by
default.
Enable ARP Inspection based on DHCP Snooping match database in
the selected VLAN group.
no ip arp inspection vlan
vlan_id
Disable ARP Inspection based on DHCP Snooping match database in
the selected VLAN group.
ip arp inspection validate
Enable specific checks for ARP management.
Source MAC address: For ARP requests and responses, MAC address
in the Ethernet header is compared to the source address in the
ARP content to check if they match.
Destination MAC address: For ARP responses, MAC address in the
Ethernet header is compared to the destination address in the ARP
content to check if they match.
IP address: ARP packet content is checked for incorrect IP
addresses.
no ip arp inspection
validate
Disable specific checks for ARP management.
ip arp inspection list create
name
List name
1..32 characters
1. Create static ARP match list.
2. Enter the ARP list configuration mode.
no ip arp inspection list
create name
Remove static ARP match list.
ip arp inspection list assign
vlan_id name
Assign static ARP match list for the selected VLAN.
no ip arp inspection list
assign vlan_id
Cancel static ARP match list assignment for the selected VLAN.
To Next Page
Loading...
