enable ip-security arp validation violation-action

enable ip-security arp validation {destination-mac} {source-mac} {ip} [dynamic vlan_id |{vlan} vlan_name] [all | ports] violation-action [drop-packet {[block-port] [duration duration_in_seconds | permanently]}] {snmp-trap}

Description

Enables ARP validation for the specified VLAN and member ports.

Syntax Description

destination-mac Specifies that the switch checks the ARP payload for the MAC destination address in the Ethernet header and the receiver‘s host address in the ARP response.
source-mac Specifies that the switch checks ARP requests and responses for the MAC source address in the Ethernet header and the sender‘s host address in the ARP payload.
ip Specifies the switch checks the IP address in the ARP payload and compares it to the DHCP bindings database. If the IP address does exist in the DHCP bindings table, the switch verifies that the MAC address is the same as the sender hardware address in the ARP request. If not, the packet is dropped.
dynamic Configuration options for dynamically created VLANs.
vlan_id VLAN ID tag between 1 and 4,094.
vlan_name Specifies the name of the VLAN to which this rule applies.
all Specifies all ports to participate in ARP validation.
ports Specifies one or more ports to participate in ARP validation.
drop-packet Specifies that the switch drops the invalid ARP packet.
block-port Indicates that the switch blocks invalid ARP requests on the specified port.
duration_in_seconds Specifies the switch to temporarily disable the specified port upon receiving an invalid ARP request.

The range is seconds.

permanently Specifies the switch to permanently disable the port upon receiving an invalid ARP request.
snmp-trap Specifies the switch to send an SNMP trap when an event occurs.

Default

By default, ARP validation is disabled.

Usage Guidelines

The violation action setting determines what action(s) the switch takes when an invalid ARP is received.

Depending on your configuration, the switch uses the following methods to check the validity of incoming ARP packets:
  • Drop packet—The switch confirms that the MAC address and its corresponding IP address are in the DHCP binding database built by DHCP snooping. This is the default behavior when you enable ARP validation. If the MAC address and its corresponding IP address are in the DHCP bindings database, the entry is valid. If the MAC address and its corresponding IP address are not in the DHCP bindings database, the entry is invalid, and the switch drops the ARP packet.
  • IP address—The switch checks the IP address in the ARP payload. If the switch receives an IP address in the ARP payload that is in the DHCP binding database, the entry is valid. If the switch receives an IP address that is not in the DHCP binding database, for example 255.255.255.255 or an IP multicast address, the entry is invalid or unexpected.
  • Source MAC address—The switch checks ARP requests and responses for the source MAC address in the Ethernet header and the sender‘s host address in the ARP payload. If the source MAC address and senders‘s host address are the same, the entry is valid. If the source MAC source and the sender‘s host address are different, the entry is invalid.
  • Destination MAC address—The switch checks the ARP payload for the destination MAC address in the Ethernet header and the receiver‘s host address. If the destination MAC address and the target‘s host address are the same, the entry is valid. If the destination MAC address and the target‘s host address are different, the entry is invalid.

Any violation that occurs causes the switch to generate an EMS log message. You can configure to suppress the log messages by configuring EMS log filters.

Displaying ARP Validation Information

To display information about ARP validation, use the following command:

show ip-security arp validation {vlan} vlan_name

Example

The following example enables ARP validation on port 1:1 of the VLAN valid:

enable ip-security arp validation vlan valid ports 1:1 drop-packet

History

This command was first available in ExtremeXOS 11.6.

Dynamic VLAN and VLAN ID options added in ExtremeXOS 30.2.

Platform Availability

This command is available on ExtremeSwitching 5320, 5420, 5520, and 5720 series switches.