Address Resolution Protocol (ARP) inspection command ip arp inspection vlan activates a security feature that protects the network from ARP spoofing. ARP requests and responses on untrusted interfaces are intercepted on specified VLANs, and intercepted packets are verified to have valid IP-MAC address bindings. All invalid ARP packets are dropped. On trusted interfaces, all incoming ARP packets are processed and forwarded without verification.
By default, ARP inspection is disabled on all VLANs.
Examples
- This command enables ARP inspection on VLANs 1 through 150.switch(config)#ip arp inspection vlan 1 - 150 switch(config)#
- This command disables ARP inspection on VLANs 1 through 150.switch(config)#no ip arp inspection vlan 1 - 150 switch(config)#
- This command sets the ARP inspection default to VLANs 1 through 150.switch(config)#default ip arp inspection vlan 1 - 150 switch(config)#
- These commands enable ARP inspection on multiple VLANs 1 through 150 and 200 through 250.switch(config)#ip arp inspection vlan 1-150,200-250 switch(config)#
When an invalid ARP packet is dropped, the following syslog message appears. The log severity level can be set higher if required.
%SECURITY-4-ARP_PACKET_DROPPED: Dropped ARP packet on interface Ethernet28/1 Vlan 2121 because invalid mac and ip binding. Received: 00:0a:00:bc:00:de/1.1.1.1.The command show ip arp inspection vlan displays the configuration and operation state of ARP inspection. For a VLAN range specified by show ip arp inspection vlan only VLANs with ARP inspection enabled will be displayed. If no VLAN is specified, all VLANs with ARP inspection enabled are displayed. The operation state turns to Active when hardware is ready to trap ARP packets for inspection.
Example
This command displays the configuration and operation state of ARP inspection for VLANs 1 through 150.switch(config)#show ip arp inspection vlan 1 - 150 VLAN 1 ---------- Configuration : Enabled Operation State : Active VLAN 2 ---------- Configuration : Enabled Operation State : Active {...} VLAN 150 ---------- Configuration : Enabled Operation State : Active switch(config)#
The command show ip arp inspection statistics displays the statistics of inspected ARP packets. For a VLAN specified by show ip arp inspection vlan only VLANs with ARP inspection enabled will be displayed. If no VLAN is specified, all VLANs with ARP inspection enabled are displayed.
The command clear arp inspection statistics clears ARP inspection.
Examples
- This command displays ARP inspection statistics for VLAN 1.switch(config)#show ip arp inspection statistics vlan 2 Vlan : 2 ------------ ARP Req Forwarded = 20 ARP Res Forwarded = 20 ARP Req Dropped = 1 ARP Res Dropped = 1 Last invalid ARP: Time: 10:20:30 ( 5 minutes ago ) Reason: Bad IP/Mac match Received on: Ethernet 3/1 Packet: Source MAC: 00:01:00:01:00:01 Dest MAC: 00:02:00:02:00:02 ARP Type: Request ARP Sender MAC: 00:01:00:01:00:01 ARP Sender IP: 1.1.1 switch(config)#
- This command displays ARP inspection statistics for Ethernet interface 3/1.switch(config)#show ip arp inspection statistics ethernet interface 3/1 Interface : 3/1 -------- ARP Req Forwarded = 10 ARP Res Forwarded = 10 ARP Req Dropped = 1 ARP Res Dropped = 1 Last invalid ARP: Time: 10:20:30 ( 5 minutes ago ) Reason: Bad IP/Mac match Received on: VLAN 10 Packet: Source MAC: 00:01:00:01:00:01 Dest MAC: 00:02:00:02:00:02 ARP Type: Request ARP Sender MAC: 00:01:00:01:00:01 ARP Sender IP: 1.1.1 switch(config)#
- This command clears ARP inspection statistics.switch(config)#clear arp inspection statistics switch(config)#
By default, all interfaces are untrusted. The command ip arp inspection trust configures the trust state of an interface.
Examples
- This command configures the trust state of an interface.switch(config)#ip arp inspection trust switch(config)#
- This command configures the trust state of an interface to untrusted.switch(config)#no ip arp inspection trust switch(config)#
- This command configures the trust state of an interface to its default (untrusted).switch(config)#default ip arp inspection trust switch(config)#
When ARP inspection is enabled, ARP packets are trapped to the CPU. Two actions can be taken when the incoming ARP rate exceeds expectation. For notification purpose, the command ip arp inspection logging will enable logging of the incoming ARP packets. To prevent a denial-of-service attack, the command ip arp inspection limit will error-disable interfaces.
Examples
- This command enables logging of incoming ARP packets when its rate exceeds the configured value, and sets the rate to 2048 (which is the upper limit for the number of invalid ARP packets allowed per second), and sets the burst consecutive interval over which the interface is monitored for a high ARP rate to 15 seconds. switch(config)#ip arp inspection logging rate 2048 burst interval 15 switch(config)#
- This command configures the rate limit of incoming ARP packets to errdisable the interface when the incoming ARP rate exceeds the configured value, sets the rate to 512 (which is the upper limit for the number of invalid ARP packets allowed per second), and sets the burst consecutive interval over which the interface is monitored for a high ARP rate to 11 seconds. switch(config)#ip arp inspection limit rate 512 burst interval 11 switch(config)#
- This command displays verification of the interface specific configuration. switch(config)#interface Ethernet 3 / 1 switch(config)#ip arp inspection limit rate 20 burst interval 5 switch(config)#interface Ethernet 3 / 3 switch(config)#ip arp inspection trust switch(config)#show ip arp inspection interfaces Interface Trust State Rate (pps) Burst Interval ------------- ----------- ---------- -------------- Et3/1 Untrusted 20 5 Et3/3 Trusted None N/A switch(config)#
If the incoming ARP packet rate on an interface exceeds the configured rate limit in burst interval, the interface will be errdisabled (by default). If errdisabled, the interface will stay in this state until you intervene with the command errdisable detect cause arp-inspection (e.g., after you perform a shutdown or no shutdown of the interface) or it automatically recovers after a certain time period. The command errdisable recovery cause arp-inspection will enable auto recovery. The command errdisable recovery interval will enable sharing the auto recovery interval among all errdisable interfaces. (See the chapter Data Transfer Introduction for information on all errdisable commands.
Examples:
- This command enables errdisable caused by an ARP inspection violation.switch(config)#errdisable detect cause arp-inspection switch(config)#
- This command disables errdisable caused by an ARP inspection violation.switch(config)#no errdisable detect cause arp-inspection switch(config)#
- This command enables auto recovery.switch(config)#errdisable recovery cause arp-inspection switch(config)#
- This command disables auto recovery.switch(config)#no errdisable recovery cause arp-inspection switch(config)#
- This command enables sharing the auto recovery interval of 10 seconds among all errdisable interfaces.switch(config)#errdisable recovery interval 10 switch(config)#
- This command disables sharing the auto recovery interval of 10 seconds among all errdisable interfaces.switch(config)#no errdisable recovery interval 10 switch(config)#
- This command displays the reason for a port entering the errdisable state.switch(config)#show interfaces status errdisabled Port Name Status Reason ------------ ------------ ------------ --------------- Et3/2 errdisabled arp-inspection switch(config)#
The ARP inspection command ip source binding allows users to add static IP-MAC binding. If enabled, ARP inspection verifies incoming ARP packets based on the configured IP-MAC bindings. The static IP-MAC binding entry can only be configured on Layer 2 ports. By default, there is no binding entry on the system.
Examples
- This command configures static IP-MAC binding for IP address 127.0.0.1, MAC address 0001.0001.0001, VLAN 1, and Ethernet interface slot 4 and port 1.switch(config)#ip source binding 127.0.0.1 0001.0001.0001 vlan 1 interface ethernet 4/1 switch(config)#
- This command configures static IP-MAC binding for IP address 127.0.0.1, MAC address 0001.0001.0001, VLAN 1, and port-channel interface 20.switch(config)#ip source binding 127.0.0.1 0001.0001.0001 vlan 1 interface port-channel 20 switch(config)#
- This command displays the configured IP-MAC binding entries. Note that the Lease column is mainly used for displaying dynamic DHCP snooping binding entries. For static binding entries, lease time is shown as infinite.switch(config)#show ip source binding 127.0.0.1 0001.0001.0001 static vlan 1 interface port-channel 20 MacAddress IpAddress Lease(sec) Type VLAN Interface --------------- ----------- ----------- ------ ----- -------------- 0001.0001.0001 127.0.0.1 infinite static 1 Port-Channel20 switch(config)#