enable ip-security arp validation violation-action
Description
Enables ARP validation for the specified VLAN and member ports.
Syntax Description
destination-mac | Specifies that the switch checks the ARP payload for the MAC destination address in the Ethernet header and the receiver‘s host address in the ARP response. |
source-mac | Specifies that the switch checks ARP requests and responses for the MAC source address in the Ethernet header and the sender‘s host address in the ARP payload. |
ip | Specifies the switch checks the IP address in the ARP payload and compares it to the DHCP bindings database. If the IP address does exist in the DHCP bindings table, the switch verifies that the MAC address is the same as the sender hardware address in the ARP request. If not, the packet is dropped. |
dynamic | Configuration options for dynamically created VLANs. |
vlan_id | VLAN ID tag between 1 and 4,094. |
vlan_name | Specifies the name of the VLAN to which this rule applies. |
all | Specifies all ports to participate in ARP validation. |
ports | Specifies one or more ports to participate in ARP validation. |
drop-packet | Specifies that the switch drops the invalid ARP packet. |
block-port | Indicates that the switch blocks invalid ARP requests on the specified port. |
duration_in_seconds | Specifies the switch to
temporarily disable the specified port upon receiving an invalid ARP
request. The range is seconds. |
permanently | Specifies the switch to permanently disable the port upon receiving an invalid ARP request. |
snmp-trap | Specifies the switch to send an SNMP trap when an event occurs. |
Default
By default, ARP validation is disabled.
Usage Guidelines
The violation action setting determines what action(s) the switch takes when an invalid ARP is received.
- Drop packet—The switch confirms that the MAC address and its corresponding IP address are in the DHCP binding database built by DHCP snooping. This is the default behavior when you enable ARP validation. If the MAC address and its corresponding IP address are in the DHCP bindings database, the entry is valid. If the MAC address and its corresponding IP address are not in the DHCP bindings database, the entry is invalid, and the switch drops the ARP packet.
- IP address—The switch checks the IP address in the ARP payload. If the switch receives an IP address in the ARP payload that is in the DHCP binding database, the entry is valid. If the switch receives an IP address that is not in the DHCP binding database, for example 255.255.255.255 or an IP multicast address, the entry is invalid or unexpected.
- Source MAC address—The switch checks ARP requests and responses for the source MAC address in the Ethernet header and the sender‘s host address in the ARP payload. If the source MAC address and senders‘s host address are the same, the entry is valid. If the source MAC source and the sender‘s host address are different, the entry is invalid.
- Destination MAC address—The switch checks the ARP payload for the destination MAC address in the Ethernet header and the receiver‘s host address. If the destination MAC address and the target‘s host address are the same, the entry is valid. If the destination MAC address and the target‘s host address are different, the entry is invalid.
Any violation that occurs causes the switch to generate an EMS log message. You can configure to suppress the log messages by configuring EMS log filters.
Displaying ARP Validation Information
To display information about ARP validation, use the following command:
show ip-security arp validation {vlan} vlan_nameExample
The following example enables ARP validation on port 1:1 of the VLAN valid:
enable ip-security arp validation vlan valid ports 1:1 drop-packet
History
This command was first available in ExtremeXOS 11.6.
Dynamic VLAN and VLAN ID options added in ExtremeXOS 30.2.
Platform Availability
This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, and X695 series switches.