Address Resolution Protocol (ARP) inspection command ip arp inspection vlan activates a security feature that protects the network from ARP spoofing. ARP requests and responses on untrusted interfaces are intercepted on specified VLANs, and intercepted packets are verified to have valid IP-MAC address bindings. All invalid ARP packets are dropped. On trusted interfaces, all incoming ARP packets are processed and forwarded without verification. By default, ARP inspection is disabled on all VLANs. Examples
When an invalid ARP packet is dropped, the following syslog message appears. The log severity level can be set higher if required. The command show ip arp inspection vlan displays the configuration and operation state of ARP inspection. For a VLAN range specified by show ip arp inspection vlan only VLANs with ARP inspection enabled will be displayed. If no VLAN is specified, all VLANs with ARP inspection enabled are displayed. The operation state turns to Active when hardware is ready to trap ARP packets for inspection. Example This command displays the configuration and operation state of ARP inspection for VLANs 1 through 150.switch(config)#show ip arp inspection vlan 1 - 150 VLAN 1 ---------- Configuration : Enabled Operation State : Active VLAN 2 ---------- Configuration : Enabled Operation State : Active {...} VLAN 150 ---------- Configuration : Enabled Operation State : Active switch(config)# The command show ip arp inspection statistics displays the statistics of inspected ARP packets. For a VLAN specified by show ip arp inspection vlan only VLANs with ARP inspection enabled will be displayed. If no VLAN is specified, all VLANs with ARP inspection enabled are displayed. The command clear arp inspection statistics clears ARP inspection. Examples
By default, all interfaces are untrusted. The command ip arp inspection trust configures the trust state of an interface. Examples
When ARP inspection is enabled, ARP packets are trapped to the CPU. Two actions can be taken when the incoming ARP rate exceeds expectation. For notification purpose, the command ip arp inspection logging will enable logging of the incoming ARP packets. To prevent a denial-of-service attack, the command ip arp inspection limit will error-disable interfaces. Examples
If the incoming ARP packet rate on an interface exceeds the configured rate limit in burst interval, the interface will be errdisabled (by default). If errdisabled, the interface will stay in this state until you intervene with the command errdisable detect cause arp-inspection (e.g., after you perform a shutdown or no shutdown of the interface) or it automatically recovers after a certain time period. The command errdisable recovery cause arp-inspection will enable auto recovery. The command errdisable recovery interval will enable sharing the auto recovery interval among all errdisable interfaces. (See the chapter Data Transfer Introduction for information on all errdisable commands. Examples:
The ARP inspection command ip source binding allows users to add static IP-MAC binding. If enabled, ARP inspection verifies incoming ARP packets based on the configured IP-MAC bindings. The static IP-MAC binding entry can only be configured on Layer 2 ports. By default, there is no binding entry on the system. Examples
|