Configuring ARP Validation

Before you configure ARP validation, you must enable DHCP snooping on the switch.

Enable DHCP snooping using the command:.
enable ip-security dhcp-snooping [dynamic | {vlan} vlan_name] ports [all | ports] violation-action [drop-packet {[block-mac | block-port] [duration duration_in_seconds | permanently] | none]}] {snmp-trap}

For more information about DHCP snooping see, Configuring DHCP Snooping.

ARP validation is disabled by default.
Enable and configure ARP validation using the command:
enable ip-security arp validation {destination-mac} {source-mac} {ip} [dynamic vlan_id |{vlan} vlan_name] [all | ports] violation-action [drop-packet {[block-port] [duration duration_in_seconds | permanently]}] {snmp-trap}

The violation action setting determines what action(s) the switch takes when an invalid ARP is received. Any violation that occurs causes the switch to generate an EMS log message. You can configure to suppress the log messages by configuring EMS log filters. For more information about EMS, see the section Using the Event Management System/Logging.
Disable ARP validation using the command:
disable ip-security arp validation [dynamic | {vlan} vlan_name] [all | ports]