The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
To clear the Address Resolution Protocol (ARP) Inspection statistics for specific VLANs, use the clear ip arp inspection statistics vlan Privileged EXEC mode command.
clear ip arp inspection statistics vlan VLAN-LIST
VLAN-LIST—A VLAN ID or a list of VLAN IDs. (Range: 1 to 4094)
Privileged EXEC mode
switchxxxxxx# clear ip arp inspection statistics vlan 1To enable dynamic ARP inspection on the switch, use the ip arp inspection Global Configuration mode command.
To disable dynamic ARP inspection on the switch, use the no form of this command.
ip arp inspection
no ip arp inspection
N/A
No specific dynamic ARP inspection is performed.
Global Configuration mode
switchxxxxxx(config)# ip arp inspectionTo limit the rate of incoming ARP requests and responses on an interface, use the ip arp inspection limit rate Interface Configuration mode command.
To revert to its default setting, use the no form of this command.
ip arp inspection limit rate VALUE
no ip arp inspection limit rate
VALUE—Maximum number of incoming packets per second that are allowed on the interface. (Range: 1 to 300 pps)
The default rate is 15 pps on untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.
The rate is unlimited on all trusted interfaces.
The burst interval is 1 second.
Interface Configuration mode
This command prevents dynamic ARP inspection from using all of the switch resources if a DoS attack occurs.
The rate applies to both trusted and untrusted interfaces. Configure appropriate rates on trunks to process packets across multiple VLANs that enabled the dynamic ARP inspection function.
After the switch receives more than the configured rate of packets every second consecutively over a number of burst seconds, the interface is placed into an error-disabled state.
Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit command, the interface reverts to its default rate limit.
You should configure trunk ports with higher rates to reflect their aggregation. When the rate of incoming packets exceeds the user-configured rate, the switch places the interface into an error-disabled state. The errordisable recovery feature automatically removes the port from the error-disabled state according to the recovery setting.
The rate of incoming ARP packets on EtherChannel ports equals to the sum of the incoming rate of ARP packets from all channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on all channel members.
switchxxxxxx(config)# interface gi5
switchxxxxxx(config-if)# ip arp inspection limit rate 150To configure the trust state that determines which incoming ARP packets are inspected for an interface, use the ip arp inspection trust Interface Configuration mode command.
To revert to its default setting, use the no form of this command.
ip arp inspection trust
no ip arp inspection trust
N/A
The interface is untrusted.
Interface Configuration mode
The switch does not check ARP packets that are received on the trusted interface. It only forwards these packets.
For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination.
switchxxxxxx(config)# interface gi9
switchxxxxxx(config-if)# ip arp inspection trustTo validate ARP packets on the switch, use the ip arp inspection validate Global Configuration mode command.
To disable validating ARP packets, use the no form of this command.
ip arp inspection validate {dst-mac | ip [allow-zeros] | src-mac}
no ip arp inspection validate {dst-mac | ip [allow-zeros] | src-mac}
dst-mac—Compares the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, the packets with different MAC addresses are classified as invalid and are dropped.
ip—Compares the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are compared in all ARP requests and responses. Target IP addresses are compared only in ARP responses.
allow-zeros—(Optional) Modifies the IP validation test so that ARPs with an address of 0.0.0.0 are not denied.
src-mac—Compares the source MAC address in the Ethernet header against the sender MAC address in ARP body. This check is performed on both ARP requests and responses. When enabled, the packets with different MAC addresses are classified as invalid and are dropped.
Validating ARP packets is disabled.
Global Configuration mode
You must specify at least one of the keywords. Each command overrides the configuration of the previous command; that is, if a command enables src-mac and dst-mac validations, and a second command enables IP validation only, the src-mac and dst-mac validations are disabled as a result of the second command.
The allow-zeros keyword interacts with ARP ACLs in this way:
If you configure an ARP ACL to deny ARP probes, they are dropped even if the allow-zeros keyword is specified.
If you configure an ARP ACL that specifically permits ARP probes and configure the ip arp inspection validate ip command, ARP probes are dropped unless you enter the allow-zeros keyword.
switchxxxxxx(config)# ip arp inspection validate dst-mac
switchxxxxxx(config)# ip arp inspection validate src-mac
switchxxxxxx(config)# ip arp inspection validate ip
switchxxxxxx(config)# ip arp inspection validate ip allow-zerosTo enable dynamic ARP inspection on specific VLANs, use the ip arp inspection vlan Global Configuration mode command.
To disable dynamic ARP inspection on specific VLANs, use the no form of this command.
ip arp inspection vlan VLAN-LIST
no ip arp inspection vlan VLAN-LIST
VLAN-LIST—Specifies a VLAN ID or a range of VLAN IDs. (Range: 1 to 4094)
ARP inspection is disabled on all VLANs.
Global Configuration mode
You must specify the VLANs on which to enable dynamic ARP inspection. Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
switchxxxxxx(config)# ip arp inspection vlan 5To show the ARP Inspection status, use the show ip arp inspection Privileged EXEC mode command.
show ip arp inspection
N/A
Privileged EXEC mode
switchxxxxxx# show ip arp inspection
Dynamic ARP Inspection : disabled
Source Mac Validation : disabled
Destination Mac Validation : disabled
IP Address Validation : disabled
Enable on Vlans : NoneThe following table describes the significant fields shown in the example:
|
Field |
Description |
|---|---|
|
Dynamic ARP Inspection |
Shows whether dynamic ARP Inspection is enabled or disabled on the switch. |
|
Source Mac Validation |
Shows whether to compare the source MAC address in the Ethernet header against the sender MAC address in ARP body. |
|
Destination Mac Validation |
Shows whether to compare the destination MAC address in the Ethernet header against the target MAC address in ARP body. |
|
IP Address Validation |
Shows whether to compare the ARP body for invalid and unexpected IP addresses. |
|
Enable on Vlans |
Shows whether dynamic ARP Inspection is enabled or disabled on the VLANs. |
To show the ARP Inspection configuration for specific interfaces, use the show ip arp inspection interfaces Privileged EXEC mode command.
show ip arp inspection interfaces interface-id
interface-id—Specifies an interface ID or a list of interface IDs. The interfaces can be one of these types: Ethernet port or port channel.
Privileged EXEC mode
switchxxxxxx# show ip arp inspection interfaces gi1
Interfaces | Trust State | Rate (pps)
------------+-------------+-------------
gi1 | Untrusted | 15The following table describes the significant fields shown in the example:
|
Field |
Description |
|---|---|
|
Interfaces |
Port or LAG on which ARP Inspection trust mode can be enabled. |
|
Trust State |
Shows whether ARP Inspection trust mode is enabled or disabled on the interface.
|
|
Rate (pps) |
Maximum rate that is allowed on the interface. |
To show the ARP Inspection statistics for all VLANs or for specific VLANs, use the show ip arp inspection statistics Privileged EXEC mode command.
show ip arp inspection statistics [VLAN VLAN-LIST]
VLAN-LIST—(Optional) Specifies a VLAN ID or a list of VLAN IDs. (Range: 1 to 4094)
Privileged EXEC mode
switchxxxxxx# show ip arp inspection statistics vlan 1
Vlan| Forward |Source MAC Failures|Dest MAC Failures|SIP Validation Failures|DIP Validation Failures|IP-MAC Mismatch Failures
----+---------+-------------------+-----------------+-----------------------+-----------------------+------------------------
1| 0 | 0 | 0 | 0 |
0 | 0The following table describes the significant fields shown in the example:
|
Field |
Description |
|---|---|
|
VLAN |
VLAN ID. |
|
Forward |
Total number of ARP packets forwarded by the VLAN. |
|
Source MAC Failures |
Total number of ARP packets that include wrong source MAC addresses. |
|
Dest MAC Failures |
Total number of ARP packets that include wrong destination MAC addresses. |
|
SIP Validation Failures |
Total number of ARP packets that the source IP address validation fails. |
|
DIP Validation Failures |
Total number of ARP packets that the destination IP address validation fails. |
|
IP-MAC Mismatch Failures |
Total number of ARP packets that the IP address does not match the MAC address. |
Feedback