You can enable or disable additional validation of ARP packets. By default, no additional validation of ARP packets is enabled.
When no additional validation is configured, the source MAC address and the source IP address check against the IP-to-MAC
binding entry for ARP packets are done by using the ARP sender MAC address and the ARP sender IP address.
DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can enable additional validation
on the destination MAC address, the sender and target IP addresses, and the source MAC address.
You can use the following keywords with the ip arp inspection validate command to implement additional validations:
- dst-mac
-
Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body for ARP responses.
When enabled, packets with different MAC addresses are classified as invalid and are dropped.
- ip
-
Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast
addresses. Sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in
ARP responses.
- src-mac
-
Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body for ARP requests and responses.
When enabled, packets with different MAC addresses are classified as invalid and are dropped.
When enabling additional validation, follow these guidelines:
-
You must specify at least one of the keywords. You can specify one, two, or all three keywords.
-
Each ip arp inspection validate command that you enter replaces the configuration from any previous commands. If you enter an ip arp inspection validate command to enable src-mac and dst-mac validations, and a second ip arp inspection validate command to enable ip validation, the src-mac and dst-mac validations are disabled when you enter the second command.