IP Addressing: DHCP Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 920 Series)
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes
how to configure dynamic Address Resolution Protocol inspection (dynamic ARP
inspection). This feature helps prevent malicious attacks on the router by not
relaying invalid ARP requests and responses to other bridge-domains.
Note
For complete
syntax and usage information for the commands used in this chapter, see the
command reference for this release.
Note
The
Cisco ASR 920 Series Router supports dynamic ARP inspection
only on bridge-domains; other interfaces such as VLANs are not supported.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information,
see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module,
and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature
Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Dynamic ARP
Inspection
ARP provides IP
communication within a Layer 2 broadcast domain by mapping an IP address to a
MAC address. For example, Host B wants to send information to Host A but does
not have the MAC address of Host A in its ARP cache. Host B generates a
broadcast message for all hosts within the broadcast domain to obtain the MAC
address associated with the IP address of Host A. All hosts within the
broadcast domain receive the ARP request, and Host A responds with its MAC
address. However, because ARP allows a gratuitous reply from a host even if an
ARP request was not received, an ARP spoofing attack and the poisoning of ARP
caches can occur. After the attack, all traffic from the device under attack
flows through the attacker’s computer and then to the router, switch, or host.
A malicious user can
attack hosts, switches, and routers connected to your Layer 2 network by
poisoning the ARP caches of systems connected to the subnet and by intercepting
traffic intended for other hosts on the subnet. Figure below shows an example
of ARP cache poisoning.
Hosts A, B, and C are
connected to the switch on interfaces A, B and C, all of which are on the same
subnet. Their IP and MAC addresses are shown in parentheses; for example, Host
A uses IP address IA and MAC address MA. When Host A needs to communicate to
Host B at the IP layer, it broadcasts an ARP request for the MAC address
associated with IP address IB. When the switch and Host B receive the ARP
request, they populate their ARP caches with an ARP binding for a host with the
IP address IA and a MAC address MA; for example, IP address IA is bound to MAC
address MA. When Host B responds, the switch and Host A populate their ARP
caches with a binding for a host with the IP address IB and the MAC address MB.
Host C can poison the
ARP caches of the switch, Host A, and Host B by broadcasting forged ARP
responses with bindings for a host with an IP address of IA (or IB) and a MAC
address of MC. Hosts with poisoned ARP caches use the MAC address MC as the
destination MAC address for traffic intended for IA or IB. This means that Host
C intercepts that traffic. Because Host C knows the true MAC addresses
associated with IA and IB, it can forward the intercepted traffic to those
hosts by using the correct MAC address as the destination. Host C has inserted
itself into the traffic stream from Host A to Host B, the classic
man-in-the
middle attack.
Dynamic ARP inspection
is a security feature that validates ARP packets in a network. It intercepts,
logs, and discards ARP packets with invalid IP-to-MAC address bindings. This
capability protects the network from certain man-in-the-middle attacks.
Dynamic ARP inspection
ensures that only valid ARP requests and responses are relayed. The router
performs these activities:
Intercepts all ARP requests
and responses on untrusted ports
Verifies that each of these
intercepted packets has a valid IP-to-MAC address binding before updating the
local ARP cache or before forwarding the packet to the appropriate destination
Drops invalid ARP packets
Dynamic ARP inspection
determines the validity of an ARP packet based on valid IP-to-MAC address
bindings stored in a trusted database, the DHCP snooping binding database. This
database is built by DHCP snooping if DHCP snooping is enabled on the
bridge-domains and on the router. If the ARP packet is received on a trusted
interface, the router forwards the packet without any checks. On untrusted
interfaces, the switch forwards the packet only if it is valid.
You enable dynamic ARP
inspection on a per-bridge-domain basis by using the
ip arp
inspection bridge-domain domain-id global configuration command.
In non-DHCP
environments, dynamic ARP inspection can validate ARP packets against
user-configured ARP access control lists (ACLs) for hosts with statically
configured IP addresses. You define an ARP ACL by using the arp access-list
acl-name global
configuration command. For configuration information, see the
“Configuring
ARP ACLs for Non-DHCP Environments” section on page 1-8. The switch logs
dropped packets. For more information about the log buffer, see the
“Logging
of Dropped Packets” section on page 1-4.
You can configure
dynamic ARP inspection to drop ARP packets when the IP addresses in the packets
are invalid or when the MAC addresses in the body of the ARP packets do not
match the addresses specified in the Ethernet header. Use the
ip arp inspection validate [src-mac ]
[dst-mac ] [ip ] global configuration command. For
more information, see the
“Performing
Validation Checks (optional)” section on page 1-11.
Interface Trust
States and Network Security
Dynamic ARP inspection
associates a trust state with each interface on the router. Packets arriving on
trusted interfaces bypass all dynamic ARP inspection validation checks, and
those arriving on untrusted interfaces undergo the dynamic ARP inspection
validation process.
In a typical network
configuration, you configure all switch ports connected to host ports as
untrusted and configure all switch ports connected to switches as trusted. With
this configuration, all ARP packets entering the network from a given switch
bypass the security check. No other validation is needed at any other place in
the bridge-domain or in the network. You configure the trust setting by using
the
ip arp inspection trust interface configuration
command.
Note
Use the trust
state configuration carefully. Configuring interfaces as untrusted when they
should be trusted can result in a loss of connectivity.
In the figure below,
assume that both Switch A and Switch B are running dynamic ARP inspection on
the bridge-domain that includes Host 1 and Host 2. If Host 1 and Host 2 acquire
their IP addresses from the DHCP server connected to Switch A, only Switch A
binds the IP-to-MAC address of Host 1. Therefore, if the interface between
Switch A and Switch B is untrusted, the ARP packets from Host 1 are dropped by
Switch B. Connectivity between Host 1 and Host 2 is lost.
Configuring interfaces
to be trusted when they are actually untrusted leaves a security hole in the
network. If Switch A is not running dynamic ARP inspection, Host 1 can easily
poison the ARP cache of Switch B (and Host 2, if the link between the switches
is configured as trusted). This condition can occur even though Switch B is
running dynamic ARP inspection.
Dynamic ARP inspection
ensures that hosts (on untrusted interfaces) connected to a switch running
dynamic ARP inspection do not poison the ARP caches of other hosts in the
network. However, dynamic ARP inspection does not prevent hosts in other
portions of the network from poisoning the caches of the hosts that are
connected to a switch running dynamic ARP inspection.
In cases in which some
switches in a bridge-domains run dynamic ARP inspection and other switches do
not, configure the interfaces connecting such switches as untrusted. However,
to validate the bindings of packets from nondynamic ARP inspection switches,
configure the switch running dynamic ARP inspection with ARP ACLs. When you
cannot determine such bindings, at Layer 3, isolate switches running dynamic
ARP inspection from switches not running dynamic ARP inspection switches. For
configuration information, see the
Configuring ARP ACLs for Non-DHCP Environments.
Note
Depending on the
setup of the DHCP server and the network, it might not be possible to validate
a given ARP packet on all switches in the bridge-domain.
Rate Limiting of ARP
Packets
The switch CPU
performs dynamic ARP inspection validation checks; therefore, the number of
incoming ARP packets is rate-limited to prevent a denial-of-service attack. By
default, the rate for untrusted interfaces is 15 packets per second (pps).
Trusted interfaces are not rate-limited. You can change this setting by using
the ip arp inspection limit interface configuration command.
Relative Priority of ARP ACLs and DHCP Snooping Entries
Dynamic ARP inspection uses the DHCP snooping binding database for the list of valid IP-to-MAC address bindings.
ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs only if you configure them
by using the ip arp inspection filter bridge-domain global configuration command. The switch first compares ARP packets to
user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding
exists in the database populated by DHCP snooping.
Logging of Dropped
Packets
When the switch
drops a packet, it places an entry in the log buffer and then generates system
messages on a rate-controlled basis. After the message is generated, the switch
clears the entry from the log buffer. Each log entry contains flow information,
such as the receiving bridge-domain, the port number, the source and
destination IP addresses, and the source and destination MAC addresses.
You use the ip arp
inspection log-buffer global configuration command to configure the number of
entries in the buffer and the number of entries needed in the specified
interval to generate system messages. You specify the type of packets that are
logged by using the ip arp inspection bridge-domain logging global
configuration command. For configuration information, see the .
Configuring the Log Buffer (optional).
Configuring Dynamic ARP Inspection
Before you begin
Default Dynamic ARP Inspection Configuration
Table below shows the default dynamic ARP inspection configuration.
The rate is 15 pps on untrusted interfaces, assuming that the
network is a switched network with a host connecting to as many as 15 new hosts
per second.
The rate is unlimited on all trusted interfaces.
The burst interval is 1 second.
ARP ACLs for non-DHCP environments
No ARP ACLs are defined.
Validation checks
No checks are performed.
Log buffer
When dynamic ARP inspection is enabled, all denied or dropped
ARP packets are logged.
The number of entries in the log is 32.
The number of system messages is limited to 5 per second.
The logging-rate interval is 1 second.
Per-bridge-domain logging
All denied or dropped ARP packets are logged.
Dynamic ARP
Inspection Configuration Guidelines
The
Cisco ASR 920 Series Router supports dynamic ARP inspection
only on bridge-domains.
Dynamic ARP inspection is an
ingress security feature; it does not perform any egress checking.
Dynamic ARP inspection is not
effective for hosts connected to switches that do not support dynamic ARP
inspection or that do not have this feature enabled. Because man-in-the-middle
attacks are limited to a single Layer 2 broadcast domain, separate the domain
with dynamic ARP inspection checks from the one with no checking. This action
secures the ARP caches of hosts in the domain enabled for dynamic ARP
inspection.
Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in
incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned
IP addresses.
Note
Configuring ip arp inspection bridge-domain id command without "ip arp inspection" may impact ARP messages processing via all bridge-domains. To overcome the issue, ensure
that ip arp inspection command is enabled.
When DHCP snooping
is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny
packets.
A physical port can join an
EtherChannel port channel only when the trust state of the physical port and
the channel port match. Otherwise, the physical port remains suspended in the
port channel. A port channel inherits its trust state from the first physical
port that joins the channel. Consequently, the trust state of the first
physical port need not match the trust state of the channel.
Conversely, when you
change the trust state on the port channel, the switch configures a new trust
state on all the physical ports that comprise the channel.
The operating rate for the
port channel is cumulative across all the physical ports within the channel.
For example, if you configure the port channel with an ARP rate-limit of 400
pps, all the interfaces combined on the channel receive an aggregate 400 pps.
The rate of incoming ARP packets on EtherChannel ports is equal to the sum of
the incoming rate of packets from all the channel members. Configure the rate
limit for EtherChannel ports only after examining the rate of incoming ARP
packets on the channel-port members.
The rate of incoming
packets on a physical port is checked against the port-channel configuration
rather than the physical-ports configuration. The rate-limit configuration on a
port channel is independent of the configuration on its physical ports.
If the EtherChannel
receives more ARP packets than the configured rate, the channel (including all
physical ports) is placed in the error-disabled state.
Make sure to limit the rate
of ARP packets on incoming trunk ports. Configure trunk ports with higher rates
to reflect their aggregation and to handle packets across multiple dynamic ARP
inspection-enabled bridge-domains. You also can use the ip arp inspection limit
none interface configuration command to make the rate unlimited. A high
rate-limit on one bridge-domain can cause a denial-of-service attack to other
bridge-domains when the software places the port in the error-disabled state.
When you enable dynamic ARP
inspection on the switch, policers that were configured to police ARP traffic
are no longer effective. The result is that all ARP traffic is sent to the CPU.
Configuring Dynamic
ARP Inspection in DHCP Environments
This procedure shows
how to configure dynamic ARP inspection when two switches support this feature.
Host 1 is connected to Switch A, and Host 2 is connected to Switch B Both
switches are running dynamic ARP inspection on bridge-domain 1 where the hosts
are located. A DHCP server is connected to Switch A. Both hosts acquire their
IP addresses from the same DHCP server. Therefore, Switch A has the bindings
for Host 1 and Host 2, and Switch B has the binding for Host 2.
Note
Dynamic ARP
inspection depends on the entries in the DHCP snooping binding database to
verify IP-to-MAC address bindings in incoming ARP requests and ARP responses.
Make sure to enable DHCP snooping to permit ARP packets that have dynamically
assigned IP addresses.
Beginning in
privileged EXEC mode, follow these steps to configure dynamic ARP inspection.
You must perform this procedure on both switches. This procedure is required.
SUMMARY STEPS
show cdp neighbors
configure terminal
ip arp inspection
ip arp inspection
bridge-domain id
interface
interface-id
no shutdown
ip arp inspection
trust
end
show ip arp inspection
interfaces show ip arp inspection bridge-domain id
show ip dhcp snooping
binding
show ip arp inspection
statistics bridge-domain id
copy running-config
startup-config
DETAILED STEPS
Command or Action
Purpose
Step 1
show cdp neighbors
Verify the
connection between the switches.
Step 2
configure terminal
Enter global
configuration mode.
Step 3
ip arp inspection
Enables dynamic
ARP inspection globally.
Step 4
ip arp inspection
bridge-domain id
Enable dynamic
ARP inspection on a per-bridge-domain basis. By default, dynamic ARP inspection
is disabled on all bridge-domains.
Specify the same
bridge-domain ID for both switches.
Step 5
interface
interface-id
Specify the
interface connected to the other switch, and enter interface configuration
mode.
Step 6
no shutdown
Enable the port,
if necessary. By default, user network interfaces (UNIs) and enhanced network
interfaces (ENIs) are disabled, and network node interfaces (NNIs) are enabled.
Step 7
ip arp inspection
trust
Configure the
connection between the switches as trusted.
By default, all
interfaces are untrusted.
The switch does
not check ARP packets that it receives from the other switch on the trusted
interface. It simply forwards the packets.
For untrusted
interfaces, the switch intercepts all ARP requests and responses. It verifies
that the intercepted packets have valid IP-to-MAC address bindings before
updating the local cache and before forwarding the packet to the appropriate
destination. The switch drops invalid packets and logs them in the log buffer
according to the logging configuration specified with the
ip arp
inspection bridge-domain logging global configuration command. For more
information, see the
Configuring the Log Buffer (optional).
Step 8
end
Return to
privileged EXEC mode.
Step 9
show ip arp inspection
interfaces show ip arp inspection bridge-domain id
Verify the
dynamic ARP inspection configuration.
Step 10
show ip dhcp snooping
binding
Verify the DHCP
bindings.
Step 11
show ip arp inspection
statistics bridge-domain id
Check the
dynamic ARP inspection statistics.
Step 12
copy running-config
startup-config
(Optional) Save
your entries in the configuration file.
Example for Configuring Dynamic ARP Inspection
This example shows how to configure dynamic ARP inspection on Switch A
in VLAN 1. You would perform a similar procedure on Switch B:
Router(config)# ip arp inspection bridge-domain 1
Router(config)# interface gigabitethernet0/1
Router(config-if)# ip arp inspection trust
Disabling Dynamic ARP Inspection
To disable dynamic ARP inspection, use the no ip arp inspection
bridge-domain global configuration command.
To return the interfaces to an untrusted state, use the no ip arp
inspection trust interface configuration command.
Before you begin
Configuring ARP ACLs
for Non-DHCP Environments
This procedure shows
how to configure dynamic ARP inspection when Switch B does not support dynamic
ARP inspection or DHCP snooping.
If you configure
port 1 on Switch A as trusted, a security hole is created because both Switch A
and Host 1 could be attacked by either Switch B or Host 2. To prevent this
possibility, you must configure port 1 on Switch A as untrusted. To permit ARP
packets from Host 2, you must set up an ARP ACL and apply it to bridge-domain
1. If the IP address of Host 2 is not static (it is impossible to apply the ACL
configuration on Switch A) you must separate Switch A from Switch B at Layer 3
and use a router to route packets between them.
Beginning in
privileged EXEC mode, follow these steps to configure an ARP ACL on Switch A.
This procedure is required in non-DHCP environments.
Before you begin
SUMMARY STEPS
configure terminal
ip arp inspection
arp access-list
acl-name
permit ip host sender-ip mac
host sender-mac [log]
exit
ip arp inspection filter
arp-acl-name bridge-domain id [static]
interface
interface-id
no shutdown
no ip arp inspection trust
end
show arp access-list
[acl-name] show ip arp inspection bridge-domain id show ip arp inspection
interfaces
copy running-config
startup-config
DETAILED STEPS
Command or Action
Purpose
Step 1
configure terminal
Enter global
configuration mode.
Step 2
ip arp inspection
Enables dynamic
ARP inspection globally.
Step 3
arp access-list
acl-name
Define an ARP
ACL, and enter ARP access-list configuration mode. By default, no ARP access
lists are defined.
Note
At the end of
the ARP access list, there is an implicit deny ip any mac any command.
Step 4
permit ip host sender-ip mac
host sender-mac [log]
Permit ARP
packets from the specified host (Host 2).
For
sender-ip, enter the IP address of Host 2.
For
sender-mac, enter the MAC address of Host 2.
(Optional) Specify
log to
log a packet in the log buffer when it matches the access control entry (ACE).
Matches are logged if you also configure the
matchlog
keyword in the
ip arp
inspection bridge-domain logging global configuration command.
Step 5
exit
Return to global
configuration mode.
Step 6
ip arp inspection filter
arp-acl-name bridge-domain id [static]
Apply the ARP
ACL to the bridge-domain. By default, no defined ARP ACLs are applied to any
bridge-domain.
For
arp-acl-name, specify the name of the ACL created in Step 2.
(Optional)
Specify
static
to treat implicit denies in the ARP ACL as explicit denies and to drop packets
that do not match any previous clauses in the ACL. DHCP bindings are not used.
If you do not
specify this keyword, it means that there is no explicit deny in the ACL that
denies the packet, and DHCP bindings determine whether a packet is permitted or
denied if the packet does not match any clauses in the ACL.
ARP packets
containing only IP-to-MAC address bindings are compared against the ACL.
Packets are permitted only if the access list permits them.
Step 7
interface
interface-id
Specify the
Switch A interface that is connected to Switch B, and enter interface
configuration mode.
Step 8
no shutdown
Enable the port,
if necessary. By default, UNIs and ENIs are disabled, and NNIs are enabled.
Step 9
no ip arp inspection trust
Configure the
Switch A interface that is connected to Switch B as untrusted.
By default, all
interfaces are untrusted.
For untrusted
interfaces, the switch intercepts all ARP requests and responses. It verifies
that the intercepted packets have valid IP-to-MAC address bindings before
updating the local cache and before forwarding the packet to the appropriate
destination. The switch drops invalid packets and logs them in the log buffer
according to the logging configuration specified with the
ip arp
inspection bridge-domain logging global configuration command.
Step 10
end
Return to
privileged EXEC mode.
Step 11
show arp access-list
[acl-name] show ip arp inspection bridge-domain id show ip arp inspection
interfaces
Verify your
entries.
Step 12
copy running-config
startup-config
(Optional) Save
your entries in the configuration file.
Example for Configuring an ARP ACL
This example shows how to configure an ARP ACL called host2 on Switch
A, to permit ARP packets from Host 2 (IP address 1.1.1.1 and MAC address
0001.0001.0001), to apply the ACL to bridge-domain 1, and to configure port 1
on Switch A as untrusted:
Router(config)# arp access-list host2
Router(config-arp-acl)# permit ip host 1.1.1.1 mac host 1.1.1
Router(config-arp-acl)# exit
Router(config)# ip arp inspection filter host2 bridge-domain 1
Router(config)# interface gigabitethernet0/1
Router(config-if)# no ip arp inspection trust
Removing the ARP ACL
To remove the ARP ACL, use the no arp access-list global configuration
command. To remove the ARP ACL attached to a bridge-domain, use the no ip arp
inspection filter arp-acl-name bridge-domain id global configuration command.
To remove an APR ACL attached to a bridge-domain, use the no ip arp
inspection filter arp-acl-name bridge-domain id global configuration command.
Before you begin
Limiting the Rate of
Incoming ARP Packets (optional)
The switch CPU
performs dynamic ARP inspection validation checks; therefore, the number of
incoming ARP packets is rate-limited to prevent a denial-of-service attack.
Note
Unless you
configure a rate limit on an interface, changing the trust state of the
interface also changes its rate limit to the default value for that trust
state. After you configure the rate limit, the interface retains the rate limit
even when its trust state is changed. If you enter the
no ip arp
inspection
limit interface configuration command, the interface reverts to its
default rate limit.
For configuration
guidelines for rate limiting trunk ports and EtherChannel ports, see the
Dynamic ARP Inspection Configuration Guidelines.
Beginning in
privileged EXEC mode, follow these steps to limit the rate of incoming ARP
packets. This procedure is optional.
Limit the rate
of incoming ARP requests and responses on the interface.
The default rate
is 15 pps on untrusted interfaces and unlimited on trusted interfaces. The
burst interval is 1 second.
The keywords
have these meanings:
For
rate
pps,
specify an upper limit for the number of incoming packets processed per second.
The range is 0 to 2048 pps.
(Optional) For
burst
intervalseconds, specify the consecutive interval in seconds, over which
the interface is monitored for a high rate of ARP packets.The range is 1 to 15.
For
rate
none, specify no upper limit for the rate of incoming ARP packets that can
be processed.
Step 6
exit
Return to global
configuration mode.
Step 7
exit
Return to
privileged EXEC mode.
Step 8
copy running-config
startup-config
(Optional) Save
your entries in the configuration file.
Note
To return to
the default rate-limit configuration, use the no ip arp inspection limit
interface configuration command. To disable error recovery for dynamic ARP
inspection, use the no errdisable recovery cause arp-inspection global
configuration command.
Performing Validation Checks (optional)
Dynamic ARP inspection intercepts, logs, and discards ARP packets with
invalid IP-to-MAC address bindings. You can configure the switch to perform
additional checks on the destination MAC address, the sender and target IP
addresses, and the source MAC address.
Beginning in privileged EXEC mode, follow these steps to perform
specific checks on incoming ARP packets. This procedure is optional.
Before you begin
SUMMARY STEPS
configure terminal
ip arp inspection
ip arp inspection validate {[src-mac] [dst-mac]
[ip]}
exit
show ip arp inspection bridge-domain id
copy running-config startup-config
DETAILED STEPS
Command or Action
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
ip arp inspection
Enables dynamic ARP inspection globally.
Step 3
ip arp inspection validate {[src-mac] [dst-mac]
[ip]}
Perform a specific check on incoming ARP packets. By default, no
checks are performed.
The keywords have these meanings:
For
src-mac, check the source MAC address in the Ethernet
header against the sender MAC address in the ARP body. This check is performed
on both ARP requests and responses. When enabled, packets with different MAC
addresses are classified as invalid and are dropped.
For
dst-mac, check the destination MAC address in the Ethernet
header against the target MAC address in ARP body. This check is performed for
ARP responses. When enabled, packets with different MAC addresses are
classified as invalid and are dropped.
For
ip, check the ARP body for invalid and unexpected IP
addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast
addresses. Sender IP addresses are checked in all ARP requests and responses,
and target IP addresses are checked only in ARP responses.
You must specify at least one of the keywords. Each command
overrides the configuration of the previous command; that is, if a command
enables src and dst mac validations, and a second command enables IP validation
only, the src and dst mac validations are disabled as a result of the second
command.
Step 4
exit
Return to privileged EXEC mode.
Step 5
show ip arp inspection bridge-domain id
Verify your settings.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Note
To disable checking, use the no ip arp inspection validate
[src-mac] [dst-mac] [ip] global configuration command. To display statistics
for forwarded, dropped, and MAC and IP validation failure packets, use the show
ip arp inspection statistics privileged EXEC command.
Configuring the Log Buffer (optional)
Note
Log buffering is not currently supported.
When the switch drops a packet, it places an entry in the log buffer
and then generates system messages on a rate-controlled basis. After the
message is generated, the switch clears the entry from the log buffer. Each log
entry contains flow information, such as the receiving bridge-domain, the port
number, the source and destination IP addresses, and the source and destination
MAC addresses.
A log-buffer entry can represent more than one packet. For example, if
an interface receives many packets on the same bridge-domain with the same ARP
parameters, the switch combines the packets as one entry in the log buffer and
generates a single system message for the entry.
If the log buffer overflows, it means that a log event does not fit
into the log buffer, and the display for the
show ip arp inspection log privileged EXEC command is affected.
A -- in the display appears in place of all data except the packet count and
the time. No other statistics are provided for the entry. If you see this entry
in the display, increase the number of entries in the log buffer or increase
the logging rate.
Beginning in privileged EXEC mode, follow these steps to configure the
log buffer. This procedure is optional.
Before you begin
SUMMARY STEPS
configure terminal
ip arp inspection log-buffer {entries number | logs
number interval seconds}
ip arp inspection bridge-domain id logging {acl-match
{matchlog | none} | dhcp-bindings {all | none | permit}}
exit
show ip arp inspection log
copy running-config startup-config
DETAILED STEPS
Command or Action
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
ip arp inspection log-buffer {entries number | logs
number interval seconds}
Configure the dynamic ARP inspection logging buffer.
By default, when dynamic ARP inspection is enabled, denied or
dropped ARP packets are logged. The number of log entries is 32. The number of
system messages is limited to 5 per second. The logging-rate interval is 1
second.
The keywords have these meanings:
For
entries
number, specify the number of entries to be logged in the
buffer. The range is 0 to 1024.
For
logs
number
interval
seconds, specify the number of entries to generate system
messages in the specified interval.
For
logs number, the range is 0 to 1024. A 0 value means that
the entry is placed in the log buffer, but a system message is not generated.
For
interval seconds, the range is 0 to 86400 seconds (1 day). A
0 value means that a system message is immediately generated (and the log
buffer is always empty).
An interval setting of 0 overrides a log setting of 0.
The
logs and
interval settings interact. If the
logs number X is greater than
interval seconds Y, X divided by Y (X/Y) system messages are
sent every second. Otherwise, one system message is sent every Y divided by X
(Y/X) seconds.
Step 3
ip arp inspection bridge-domain id logging {acl-match
{matchlog | none} | dhcp-bindings {all | none | permit}}
Control the type of packets that are logged per bridge-domain. By
default, all denied or all dropped packets are logged. The term
logged means the entry is placed in the log buffer and a
system message is generated.
The keywords have these meanings:
For
acl-match
matchlog, log packets based on the ACE logging configuration.
If you specify the
matchlog keyword in this command and the
log keyword in the
permit or
deny ARP access-list configuration command, ARP packets
permitted or denied by the ACL are logged.
For
acl-match none, do not log packets that match ACLs.
For dhcp-bindings all, log all packets that match DHCP
bindings.
For dhcp-bindings none, do not log packets that match DHCP
bindings.
For dhcp-bindings permit, log DHCP-binding permitted packets.
Step 4
exit
Return to privileged EXEC mode.
Step 5
show ip arp inspection log
Verify your settings.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Returning to the Default Log Buffer Settings
To return to the default log buffer settings, use the no ip arp
inspection log-buffer {entries | logs} global configuration command.
To return to the default bridge-domain log settings, use the no ip arp
inspection bridge-domain id logging {acl-match | dhcp-bindings} global
configuration command.
To clear the log buffer, use the clear ip arp inspection log
privileged EXEC command.
Before you begin
Displaying Dynamic ARP Inspection Information
To display dynamic ARP inspection information, use the privileged EXEC
commands described in table below.
Table 2. Commands for Displaying Dynamic ARP Inspection Information
Command
Description
show arp access-list [acl-name]
Displays detailed information about ARP ACLs.
show ip arp inspection interfaces
[interface-id]
Displays the trust state and the rate limit of
ARP packets for the specified interface or all interfaces.
show ip arp inspection bridge-domain id
Displays the configuration and the operating
state of dynamic ARP inspection for the specified bridge-domain. If a range is
specified, displays information for bridge domains with dynamic ARP inspection
enabled (active).
Clearing or Displaying Dynamic ARP Inspection Statistics
To clear or display dynamic ARP inspection statistics, use the
privileged EXEC commands in table below.
For the show ip arp inspection statistics command, the switch
increments the number of forwarded packets for each ARP request and response
packet on a trusted dynamic ARP inspection port. The switch increments the
number of ACL or DHCP permitted packets for each packet that is denied by
source MAC, destination MAC, or IP validation checks, and the switch increments
the appropriate failure count.
Table 3. Commands for Clearing or Displaying Dynamic ARP Inspection
Statistics
Command
Description
clear ip arp inspection statistics
Clears dynamic ARP inspection statistics.
show ip arp inspection statistics bridge-domain
id
Displays statistics for forwarded, dropped, MAC
validation failure, IP validation failure, ACL permitted and denied, and DHCP
permitted and denied packets for the specified bridge domain. If no
bridge-domain is specified, the router displays information only for bridge
domains with dynamic ARP inspection enabled (active).
Clearing or Displaying Dynamic ARP Inspection Logging
Information
To clear or display dynamic ARP inspection logging information, use
the privileged EXEC commands in table below:
Table 4. Commands for Clearing or Displaying Dynamic ARP Inspection Logging
Information
Command
Description
clear ip arp inspection log
Clears the dynamic ARP inspection log buffer.
show ip arp inspection log
Displays the configuration and contents of the
dynamic ARP inspection log buffer.
Additional References
Standards
Standard
Title
No new or
modified standards are supported, and support for existing standards has not
been modified.
—
MIBs
MIB
MIBs Link
No new or
modified MIBs are supported, and support for existing MIBs has not been
modified.
To locate
and download MIBs for selected platforms, Cisco IOS releases, and feature sets,
use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFC
Title
No new or
modified RFCs are supported, and support for existing RFCs has not been
modified.
—
Technical Assistance
Description
Link
The Cisco
Support and Documentation website provides online resources to download
documentation, software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve technical issues with
Cisco products and technologies. Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID and password.
The following table provides release information about the feature or features described in this module. This table lists
only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise,
subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 5. Feature Information for
Dynamic ARP
Feature
Name
Releases
Feature
Configuration Information
Configuring
Dynamic ARP
Cisco IOS XE
Release 3.13.0S
This
feature was introduced on the Cisco ASR 920 Series Aggregation Services Router
(ASR-920-12CZ-A, ASR-920-12CZ-D, ASR-920-4SZ-A, ASR-920-4SZ-D).