Address Resolution Protocol (ARP) Inspection Properties Configuration on ESW2-350G Switches

Available Languages

Download Options

  • PDF     (129.3 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (171.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (218.5 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:December 11, 2018
Document ID:SMB4087

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Address Resolution Protocol (ARP) Inspection Properties Configuration on ESW2-350G Switches

Objective

Address Resolution Protocol (ARP) is used to resolve an IP address into the MAC address of the destination. This operates at layer 2 of the OSI model. It uses a look up table (ARP cache) to store the IP address to MAC address mapping. ARP inspection is used to prevent ARP cache poisoning. ARP cache poisoning can lead to unauthorized users to control and intercept the network traffic.

This article explains how to configure ARP inspection configuration on ESW2-350G switches.

Applicable Devices

• ESW2-350G
• ESW2-350G-DC

Software Version

• v1.2.6.28

Set Up ARP Inspection Properties

Step 1. Log in to the web configuration utility and choose Security > ARP Inspection > Properties. The Properties page opens:

Step 2. At the ARP Inspection Status field, check Enable to enable the ARP inspection feature. This feature is disabled by default.

Note: The ARP inspection is performed only on untrusted interfaces. Packets from trusted interfaces are forwarded. 

Step 3. At the ARP Packet Validation field, check Enable to enable the packet validation in ARP. This feature is disabled by default. If this field is checked, the following values are compared with the existing databases to prevent outsider attacks:

• Source MAC — The source MAC address of the packet in the Ethernet header is compared against the MAC address of the sender in the ARP request. This check is performed on both ARP requests and responses.

• Destination MAC — The destination MAC address of the packet in the Ethernet header is compared against the MAC address of the destination interface. This check is performed for ARP responses only.

• IP Addresses — This compares the ARP data content for invalid and unexpected IP addresses. IP addresses include 0.0.0.0, 255.255.255.255 and all IP Multicast addresses.

Note: ARP inspection also uses a DHCP snooping binding database (if DHCP snooping is enabled) to counter-check the IP address of the packet in addition to its access control rules. Refer the article titled DHCP Snooping Binding Database Configuration on ESW2-350G Switches for more information.

Step 4. At the Log Buffer Interval field, click one of the radio buttons:

• Retry Frequency — Enables SYSLOG messages to be sent for dropped packets. Enter the frequency with which the messages are sent. The default frequency is 5 seconds. The range is from 0 to 86400 seconds.

• Never — Disables SYSLOG dropped packet messages.

Step 5. Click Apply to make the changes. The settings are defined and the running configuration file is updated.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco