IP ARP Inspection Commands

This chapter contains the following sections:

clear ip arp inspection statistics vlan

To clear the Address Resolution Protocol (ARP) Inspection statistics for specific VLANs, use the clear ip arp inspection statistics vlan Privileged EXEC mode command.

Syntax

clear ip arp inspection statistics vlan VLAN-LIST

Parameters

VLAN-LIST—A VLAN ID or a list of VLAN IDs. (Range: 1 to 4094)

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# clear ip arp inspection statistics vlan 1

ip arp inspection

To enable dynamic ARP inspection on the switch, use the ip arp inspection Global Configuration mode command.

To disable dynamic ARP inspection on the switch, use the no form of this command.

Syntax

ip arp inspection

no ip arp inspection

Parameters

N/A

Default Configuration

No specific dynamic ARP inspection is performed.

Command Mode

Global Configuration mode

Example

switchxxxxxx(config)# ip arp inspection

ip arp inspection limit rate

To limit the rate of incoming ARP requests and responses on an interface, use the ip arp inspection limit rate Interface Configuration mode command.

To revert to its default setting, use the no form of this command.

Syntax

ip arp inspection limit rate VALUE

no ip arp inspection limit rate

Parameters

VALUE—Maximum number of incoming packets per second that are allowed on the interface. (Range: 1 to 300 pps)

Default Configuration

The default rate is 15 pps on untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.

The rate is unlimited on all trusted interfaces.

The burst interval is 1 second.

Command Mode

Interface Configuration mode

User Guidelines

This command prevents dynamic ARP inspection from using all of the switch resources if a DoS attack occurs.

The rate applies to both trusted and untrusted interfaces. Configure appropriate rates on trunks to process packets across multiple VLANs that enabled the dynamic ARP inspection function.

After the switch receives more than the configured rate of packets every second consecutively over a number of burst seconds, the interface is placed into an error-disabled state.

Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit command, the interface reverts to its default rate limit.

You should configure trunk ports with higher rates to reflect their aggregation. When the rate of incoming packets exceeds the user-configured rate, the switch places the interface into an error-disabled state. The errordisable recovery feature automatically removes the port from the error-disabled state according to the recovery setting.

The rate of incoming ARP packets on EtherChannel ports equals to the sum of the incoming rate of ARP packets from all channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on all channel members.

Example

switchxxxxxx(config)# interface gi5
switchxxxxxx(config-if)# ip arp inspection limit rate 150

ip arp inspection trust

To configure the trust state that determines which incoming ARP packets are inspected for an interface, use the ip arp inspection trust Interface Configuration mode command.

To revert to its default setting, use the no form of this command.

Syntax

ip arp inspection trust

no ip arp inspection trust

Parameters

N/A

Default Configuration

The interface is untrusted.

Command Mode

Interface Configuration mode

User Guidelines

The switch does not check ARP packets that are received on the trusted interface. It only forwards these packets.

For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination.

Example

switchxxxxxx(config)# interface gi9
switchxxxxxx(config-if)# ip arp inspection trust

ip arp inspection validate

To validate ARP packets on the switch, use the ip arp inspection validate Global Configuration mode command.

To disable validating ARP packets, use the no form of this command.

Syntax

ip arp inspection validate {dst-mac | ip [allow-zeros] | src-mac}

no ip arp inspection validate {dst-mac | ip [allow-zeros] | src-mac}

Parameters

dst-mac—Compares the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, the packets with different MAC addresses are classified as invalid and are dropped.

ip—Compares the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are compared in all ARP requests and responses. Target IP addresses are compared only in ARP responses.

allow-zeros—(Optional) Modifies the IP validation test so that ARPs with an address of 0.0.0.0 are not denied.

src-mac—Compares the source MAC address in the Ethernet header against the sender MAC address in ARP body. This check is performed on both ARP requests and responses. When enabled, the packets with different MAC addresses are classified as invalid and are dropped.

Default Configuration

Validating ARP packets is disabled.

Command Mode

Global Configuration mode

User Guidelines

You must specify at least one of the keywords. Each command overrides the configuration of the previous command; that is, if a command enables src-mac and dst-mac validations, and a second command enables IP validation only, the src-mac and dst-mac validations are disabled as a result of the second command.

The allow-zeros keyword interacts with ARP ACLs in this way:

  • If you configure an ARP ACL to deny ARP probes, they are dropped even if the allow-zeros keyword is specified.

  • If you configure an ARP ACL that specifically permits ARP probes and configure the ip arp inspection validate ip command, ARP probes are dropped unless you enter the allow-zeros keyword.

Example

switchxxxxxx(config)# ip arp inspection validate dst-mac
switchxxxxxx(config)# ip arp inspection validate src-mac
switchxxxxxx(config)# ip arp inspection validate ip
switchxxxxxx(config)# ip arp inspection validate ip allow-zeros

ip arp inspection vlan

To enable dynamic ARP inspection on specific VLANs, use the ip arp inspection vlan Global Configuration mode command.

To disable dynamic ARP inspection on specific VLANs, use the no form of this command.

Syntax

ip arp inspection vlan VLAN-LIST

no ip arp inspection vlan VLAN-LIST

Parameters

VLAN-LIST—Specifies a VLAN ID or a range of VLAN IDs. (Range: 1 to 4094)

Default Configuration

ARP inspection is disabled on all VLANs.

Command Mode

Global Configuration mode

User Guidelines

You must specify the VLANs on which to enable dynamic ARP inspection. Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.

Example

switchxxxxxx(config)# ip arp inspection vlan 5

show ip arp inspection

To show the ARP Inspection status, use the show ip arp inspection Privileged EXEC mode command.

Syntax

show ip arp inspection

Parameters

N/A

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show ip arp inspection
Dynamic ARP Inspection      : disabled
Source Mac Validation       : disabled
Destination Mac Validation : disabled
IP Address Validation       : disabled
Enable on Vlans              : None

The following table describes the significant fields shown in the example:

Field

Description

Dynamic ARP Inspection

Shows whether dynamic ARP Inspection is enabled or disabled on the switch.

Source Mac Validation

Shows whether to compare the source MAC address in the Ethernet header against the sender MAC address in ARP body.

Destination Mac Validation

Shows whether to compare the destination MAC address in the Ethernet header against the target MAC address in ARP body.

IP Address Validation

Shows whether to compare the ARP body for invalid and unexpected IP addresses.

Enable on Vlans

Shows whether dynamic ARP Inspection is enabled or disabled on the VLANs.

show ip arp inspection interfaces

To show the ARP Inspection configuration for specific interfaces, use the show ip arp inspection interfaces Privileged EXEC mode command.

Syntax

show ip arp inspection interfaces interface-id

Parameters

interface-id—Specifies an interface ID or a list of interface IDs. The interfaces can be one of these types: Ethernet port or port channel.

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show ip arp inspection interfaces gi1
 Interfaces | Trust State |  Rate (pps)
------------+-------------+-------------
gi1          | Untrusted   |   15

The following table describes the significant fields shown in the example:

Field

Description

Interfaces

Port or LAG on which ARP Inspection trust mode can be enabled.

Trust State

Shows whether ARP Inspection trust mode is enabled or disabled on the interface.

  • Enabled—The port or LAG is a trusted interface, and ARP inspection is not performed on the ARP requests and replies sent to and from the interface.

  • Disabled—The port or LAG is not a trusted interface, and ARP inspection is performed on the ARP requests and replies sent to and from the interface. This is the default value.

Rate (pps)

Maximum rate that is allowed on the interface.

show ip arp inspection statistics

To show the ARP Inspection statistics for all VLANs or for specific VLANs, use the show ip arp inspection statistics Privileged EXEC mode command.

Syntax

show ip arp inspection statistics [VLAN VLAN-LIST]

Parameters

VLAN-LIST—(Optional) Specifies a VLAN ID or a list of VLAN IDs. (Range: 1 to 4094)

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show ip arp inspection statistics vlan 1
Vlan| Forward |Source MAC Failures|Dest MAC Failures|SIP Validation Failures|DIP Validation Failures|IP-MAC Mismatch Failures
----+---------+-------------------+-----------------+-----------------------+-----------------------+------------------------
 1|       0 |                 0 |               0 |                     0 |
                  0 |          0

The following table describes the significant fields shown in the example:

Field

Description

VLAN

VLAN ID.

Forward

Total number of ARP packets forwarded by the VLAN.

Source MAC Failures

Total number of ARP packets that include wrong source MAC addresses.

Dest MAC Failures

Total number of ARP packets that include wrong destination MAC addresses.

SIP Validation Failures

Total number of ARP packets that the source IP address validation fails.

DIP Validation Failures

Total number of ARP packets that the destination IP address validation fails.

IP-MAC Mismatch Failures

Total number of ARP packets that the IP address does not match the MAC address.