DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can enable additional validation on the destination MAC address, the sender and target IP addresses, and the source MAC address.
The additional validations do the following:
- dst-mac—Checks the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
- ip—Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses.
- src-mac—Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
When enabling additional validation, note the following information:
- You must specify at least one of the keywords.
- Each ip arp inspection validate command overrides the configuration from any previous commands. If an ip arp inspection validate command enables src-mac and dst-mac validations, and a second ip arp inspection validate command enables IP validation only, the src-mac and dst-mac validations are disabled as a result of the second command.
To enable additional validation, complete the following steps:
Examples
This example shows how to enable src-mac additional validation:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip arp inspection validate src-mac
Switch(config)# do show ip arp inspection | include abled$
Source Mac Validation : Enabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
This example shows how to enable dst-mac additional validation:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip arp inspection validate dst-mac
Switch(config)# do show ip arp inspection | include abled$
Source Mac Validation : Disabled
Destination Mac Validation : Enabled
IP Address Validation : Disabled
This example shows how to enable ip additional validation:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip arp inspection validate ip
Switch(config)# do show ip arp inspection | include abled$
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Enabled
This example shows how to enable src-mac and dst-mac additional validation:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip arp inspection validate src-mac dst-mac
Switch(config)# do show ip arp inspection | include abled$
Source Mac Validation : Enabled
Destination Mac Validation : Enabled
IP Address Validation : Disabled
This example shows how to enable src-mac, dst-mac, and ip additional validation:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip arp inspection validate src-mac dst-mac ip
Switch(config)# do show ip arp inspection | include abled$
Source Mac Validation : Enabled
Destination Mac Validation : Enabled
IP Address Validation : Enabled