Enables ARP validation for the specified VLAN and member ports.
destination-mac | Specifies that the switch checks the ARP payload for the MAC destination address in the Ethernet header and the receiver‘s host address in the ARP response. |
source-mac | Specifies that the switch checks ARP requests and responses for the MAC source address in the Ethernet header and the sender‘s host address in the ARP payload. |
ip | Specifies the switch checks the IP address in the ARP payload and compares it to the DHCP bindings database. If the IP address does exist in the DHCP bindings table, the switch verifies that the MAC address is the same as the sender hardware address in the ARP request. If not, the packet is dropped. |
vlan_name | Specifies the name of the VLAN to which this rule applies. |
all | Specifies all ports to participate in ARP validation. |
ports | Specifies one or more ports to participate in ARP validation. |
drop-packet | Specifies that the switch drops the invalid ARP packet. |
block-port | Indicates that the switch blocks invalid ARP requests on the specified port. |
duration_in_seconds | Specifies the switch to
temporarily disable the specified port upon receiving an invalid ARP
request. The range is seconds. |
permanently | Specifies the switch to permanently disable the port upon receiving an invalid ARP request. |
snmp-trap | Specifies the switch to send an SNMP trap when an event occurs. |
By default, ARP validation is disabled.
The violation action setting determines what action(s) the switch takes when an invalid ARP is received.
Any violation that occurs causes the switch to generate an EMS log message. You can configure to suppress the log messages by configuring EMS log filters.
To display information about ARP validation, use the following command:
show ip-security arp validation {vlan} vlan_nameThe following example enables ARP validation on port 1:1 of the VLAN valid:
enable ip-security arp validation vlan valid ports 1:1 drop-packet
This command was first available in ExtremeXOS 11.6.