To Next Page

To Previous Page

set arpinspection validate

17-22 DHCP Snooping and Dynamic ARP Inspection

Usage

Individualinterfacesareconfiguredastrustedoruntrusted.ThetrustconfigurationforDAIis

independentofthetrustconfigurationforDHCPsnooping.Atrustedportisaportthenetwork

administratordoesnotconsidertobeasecuritythreat.Anuntrustedportisonewhichcould

potentiallybeusedtolaunch

anetworkattack.

DAIconsidersallphysicalportsandLAGsuntrustedbydefault.Packetsarrivingontrusted

interfacesbypassallDAIvalidationchecks.

Example

Thisexampleenablesportge.1.1astrustedforDAI.

B5(su)->set arpinspection trust port ge.1.1 enable

set arpinspection validate

UsethiscommandtoconfigureadditionaloptionalARPvalidationparameters.

Syntax

set arpinspection validate {[src-mac] [dst-mac] [ip]}

Parameters

Defaults

Allparametersareoptional,butatleastoneparametermustbespecified.

Mode

Switchcommand,read‐write.

Usage

ThiscommandaddsadditionalvalidationofARPpacketsbyDAI,beyondthebasicvalidation

thattheARPpacket’ssenderMACaddressandsenderIPaddressmatchanentryintheDHCP

snoopingbindingsdatabase.

src‐mac SpecifiesthatDAIshouldverifythatthe senderMACaddressequals

thesourceMACaddressin

theEthernetheader.

dst‐mac SpecifiesthatDAIshouldverifythatthetargetMACaddressequalsthe

destinationMACaddressintheEthernetheader.

ThischeckonlyappliestoARPresponses,sincethetargetMACaddress

isunspecifiedinARPrequests.

ip SpecifiesthatDAIshouldchecktheIPaddressanddropARP

packets

withaninvalidaddress.Aninvalidaddressisoneofthefollowing:

• 0.0.0.0

• 255.255.255.255

• All IP multicast addresses

• All class E addresses (240.0.0.0/4)

• Loopback addresses (in the range 127.0.0.0/8)

Enterasys b5 User Manual

Questions and Answers: