ARP Validation

ARP validation is also linked to the “DHCP snooping” feature. The same DHCP bindings database created when you enabled DHCP snooping is also used to validate ARP entries arriving on the specified ports.

Validation Option ARP Request Packet Type ARP Response Packet Type

DHCP

Source IP is not present in the DHCP snooping database OR is present but Source Hardware Address doesn't match the MAC in the DHCP bindings entry.

IP

Source IP == Mcast OR

Target IP == Mcast OR

Source IP is not present in the DHCP snooping database OR

Source IP exists in the DHCP bindings database but Source Hardware Address doesn't match the MAC in the DHCP bindings entry.

Source IP == Mcast OR

Target IP == Mcast

Source-MAC

Ethernet source MAC does not match the Source Hardware Address.

Ethernet source MAC does not match the Source Hardware Address.

Destination-MAC

Ethernet destination MAC does not match the Target Hardware Address.

Depending on the options specified when enabling ARP validation, the following validations are done. Note that the 'DHCP' option does not have to be specified explicitly, it is always implied when ARP validation is enabled.