Configuring Additional Validation Checks on ARP Packets
Dynamic ARP protection can be configured to perform additional validation checks on ARP packets. By default, no additional checks are performed. To configure additional validation checks, enter the arp-protect validate command at the global configuration level.
Syntax
[no] arp-protect validate <[src-mac] | [dest-mac] | [ip]>
- src-mac
(Optional) Drops any ARP request or response packet in which the source MAC address in the Ethernet header does not match the sender MAC address in the body of the ARP packet.
- dest-mac
(Optional) Drops any unicast ARP response packet in which the destination MAC address in the Ethernet header does not mach the target MAC address in the body of the ARP packet.
- ip
(Optional) Drops any ARP packet in which the sender IP address is invalid. Drops any ARP response packet in which the target IP address is invalid. Invalid IP addresses include: 0.0.0.0, 255.255.255.255, all IP multicast addresses, and all Class E IP addresses.
arp-protect validate
command
shows how to configure the validation checks for source MAC address
and destination AMC address:switch(config)# arp-protect validate src-mac dest-mac