Configuring ARP Validation
Before you configure ARP validation, you must enable DHCP snooping on the
switch.
-
Enable DHCP snooping using the command:.
enable
ip-security dhcp-snooping {vlan} vlan_name ports [all | ports] violation-action [drop-packet {[block-mac | block-port] [duration duration_in_seconds | permanently] | none]}] {snmp-trap}
ARP validation is disabled by default.
-
Enable and configure ARP validation using the
command:
enable
ip-security arp validation {destination-mac}
{source-mac} {ip} {vlan} vlan_name [all | ports] violation-action [drop-packet {[block-port] [duration duration_in_seconds | permanently]}]
{snmp-trap}
The violation action setting determines what action(s)
the switch takes when an invalid ARP is received.
Any violation that occurs causes the switch to generate an Event
Management System (EMS) log message. You can configure to suppress the log messages by
configuring EMS log filters. For more information about EMS, see the section Using the Event Management System/Logging.
-
Disable ARP validation using the command:
disable
ip-security arp validation {vlan} vlan_name [all | ports]