Home » Cisco Manuals » Bridges & Routers » Cisco 7604 » Manual Viewer

Cisco 7604 Software Configuration Guide - Page 584

dst-mac, src-mac, Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX

Add to My Manuals
Save this manual to your list of manuals

Page 584 highlights

Configuring DAI Chapter 38 Configuring Dynamic ARP Inspection • These are the additional validations: - dst-mac-Checks the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped. - ip-Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses. - src-mac-Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped. This example shows how to enable src-mac additional validation: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip arp inspection validate src-mac Router(config)# do show ip arp inspection | include abled$ Source Mac Validation : Enabled Destination Mac Validation : Disabled IP Address Validation : Disabled This example shows how to enable dst-mac additional validation: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip arp inspection validate dst-mac Router(config)# do show ip arp inspection | include abled$ Source Mac Validation : Disabled Destination Mac Validation : Enabled IP Address Validation : Disabled This example shows how to enable ip additional validation: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip arp inspection validate ip Router(config)# do show ip arp inspection | include abled$ Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Enabled This example shows how to enable src-mac and dst-mac additional validation: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip arp inspection validate src-mac dst-mac Router(config)# do show ip arp inspection | include abled$ Source Mac Validation : Enabled Destination Mac Validation : Enabled IP Address Validation : Disabled This example shows how to enable src-mac, dst-mac, and ip additional validation: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip arp inspection validate src-mac dst-mac ip Router(config)# do show ip arp inspection | include abled$ Source Mac Validation : Enabled Destination Mac Validation : Enabled IP Address Validation : Enabled 38-12 Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX OL-4266-08

Section	Page
Contents	3
Preface	32
Audience	32
Related Documentation	32
Conventions	33
Product Overview	35
Supported Hardware and Software	35
User Interfaces	35
Configuring Embedded CiscoView Support	36
Understanding Embedded CiscoView	36
Installing and Configuring Embedded CiscoView	36
Displaying Embedded CiscoView Information	37
Software Features Supported in Hardware by the PFC and DFC	37
Software Features Supported in Hardware by the PFC3, PFC2, DFC3, and DFC	37
Software Features Supported in Hardware by the PFC3 and DFC3	38
Command-Line Interfaces	41
Accessing the CLI	42
Accessing the CLI through the EIA/TIA-232 Console Interface	42
Accessing the CLI through Telnet	42
Performing Command Line Processing	43
Performing History Substitution	44
Cisco IOS Command Modes	44
Displaying a List of Cisco IOS Commands and Syntax	45
Securing the CLI	46
ROM-Monitor Command-Line Interface	47
Configuring the Router for the First Time	49
Default Configuration	50
Configuring the Router	50
Using the Setup Facility or the setup Command	50
Setup Overview	50
Configuring the Global Parameters	51
Configuring Interfaces	56
Using Configuration Mode	58
Checking the Running Configuration Before Saving	58
Saving the Running Configuration Settings	59
Reviewing the Configuration	59
Configuring a Default Gateway	60
Configuring a Static Route	60
Configuring a BOOTP Server	62
Protecting Access to Privileged EXEC Commands	63
Setting or Changing a Static Enable Password	63
Using the enable password and enable secret Commands	63
Setting or Changing a Line Password	64
Setting TACACS+ Password Protection for Privileged EXEC Mode	64
Encrypting Passwords	65
Configuring Multiple Privilege Levels	65
Setting the Privilege Level for a Command	66
Changing the Default Privilege Level for Lines	66
Logging In to a Privilege Level	66
Exiting a Privilege Level	67
Displaying the Password, Access Level, and Privilege Level Configuration	67
Recovering a Lost Enable Password	67
Modifying the Supervisor Engine Startup Configuration	68
Understanding the Supervisor Engine Boot Configuration	68
Understanding the Supervisor Engine Boot Process	68
Understanding the ROM Monitor	68
Configuring the Software Configuration Register	69
Modifying the Boot Field and Using the boot Command	70
Modifying the Boot Field	71
Verifying the Configuration Register Setting	72
Specifying the Startup System Image	72
Understanding Flash Memory	72
Flash Memory Features	73
Security Features	73
Flash Memory Configuration Process	73
CONFIG_FILE Environment Variable	73
Controlling Environment Variables	74
Configuring a Supervisor Engine 720	75
Using the Bootflash or Bootdisk on a Supervisor Engine 720	76
Using the Slots on a Supervisor Engine 720	76
Configuring Supervisor Engine 720 Ports	76
Configuring and Monitoring the Switch Fabric Functionality	76
Understanding How the Switch Fabric Functionality Works	77
Switch Fabric Functionality Overview	77
Forwarding Decisions for Layer 3-Switched Traffic	77
Switching Modes	77
Configuring the Switch Fabric Functionality	78
Monitoring the Switch Fabric Functionality	78
Displaying the Switch Fabric Redundancy Status	79
Displaying Fabric Channel Switching Modes	79
Displaying the Fabric Status	80
Displaying the Fabric Utilization	80
Displaying Fabric Errors	81
Configuring a Supervisor Engine 32	83
Flash Memory on a Supervisor Engine 32	84
Supervisor Engine 32 Ports	84
Configuring the Supervisor Engine 2 and the Switch Fabric Module	85
Using the Slots on a Supervisor Engine 2	85
Understanding How the Switch Fabric Module Works	86
Switch Fabric Module Overview	86
Switch Fabric Module Slots	86
Switch Fabric Redundancy	86
Forwarding Decisions for Layer 3-Switched Traffic	86
Switching Modes	87
Configuring the Switch Fabric Module	87
Configuring the Switching Mode	88
Configuring Fabric-Required Mode	88
Configuring an LCD Message	89
Monitoring the Switch Fabric Module	89
Displaying the Module Information	91
Displaying the Switch Fabric Module Redundancy Status	91
Displaying Fabric Channel Switching Modes	91
Displaying the Fabric Status	92
Displaying the Fabric Utilization	92
Displaying Fabric Errors	92
Configuring NSF with SSO Supervisor Engine Redundancy	95
Understanding NSF with SSO Supervisor Engine Redundancy	95
NSF with SSO Supervisor Engine Redundancy Overview	96
SSO Operation	96
NSF Operation	97
Cisco Express Forwarding	97
Multicast MLS NSF with SSO	98
Routing Protocols	98
BGP Operation	98
OSPF Operation	99
IS-IS Operation	100
IETF IS-IS Configuration	100
Cisco IS-IS Configuration	101
EIGRP Operation	101
NSF Benefits and Restrictions	102
Supervisor Engine Configuration Synchronization	103
Supervisor Engine Redundancy Guidelines and Restrictions	103
Redundancy Configuration Guidelines and Restrictions	104
Hardware Configuration Guidelines and Restrictions	104
Configuration Mode Restrictions	105
NSF Configuration Tasks	105
Configuring SSO	106
Configuring Multicast MLS NSF with SSO	106
Verifying Multicast NSF with SSO	107
Configuring CEF NSF	107
Verifying CEF NSF	107
Configuring BGP NSF	108
Verifying BGP NSF	108
Configuring OSPF NSF	109
Verifying OSPF NSF	109
Configuring IS-IS NSF	110
Verifying IS-IS NSF	111
Configuring EIGRP NSF	113
Verifying EIGRP NSF	113
Synchronizing the Supervisor Engine Configurations	114
Copying Files to the Redundant Supervisor Engine	114
Configuring RPR and RPR+ Supervisor Engine Redundancy	115
Understanding RPR and RPR+	116
Supervisor Engine Redundancy Overview	116
RPR Operation	116
RPR+ Operation	117
Supervisor Engine Configuration Synchronization	117
RPR Supervisor Engine Configuration Synchronization	118
RPR+ Supervisor Engine Configuration Synchronization	118
Supervisor Engine Redundancy Guidelines and Restrictions	118
Redundancy Guidelines and Restrictions	118
RPR+ Guidelines and Restrictions	119
Hardware Configuration Guidelines and Restrictions	119
Configuration Mode Restrictions	120
Configuring Supervisor Engine Redundancy	120
Configuring Redundancy	120
Synchronizing the Supervisor Engine Configurations	121
Displaying the Redundancy States	121
Performing a Fast Software Upgrade	122
Copying Files to an MSFC	123
Configuring Interfaces	125
Understanding Interface Configuration	126
Using the Interface Command	126
Configuring a Range of Interfaces	128
Defining and Using Interface-Range Macros	130
Configuring Optional Interface Features	130
Configuring Ethernet Interface Speed and Duplex Mode	131
Speed and Duplex Mode Configuration Guidelines	131
Configuring the Ethernet Interface Speed	131
Setting the Interface Duplex Mode	132
Configuring Link Negotiation on Gigabit Ethernet Ports	132
Displaying the Speed and Duplex Mode Configuration	133
Configuring Jumbo Frame Support	134
Understanding Jumbo Frame Support	134
Jumbo Frame Support Overview	134
Bridged and Routed Traffic Size Check at Ingress 10, 10/100, and 100 Mbps Ethernet and 10-Gigabit Ethernet Ports	135
Bridged and Routed Traffic Size Check at Ingress Gigabit Ethernet Ports	135
Routed Traffic Size Check on the PFC	135
Bridged and Routed Traffic Size Check at Egress 10, 10/100, and 100 Mbps Ethernet Ports	135
Bridged and Routed Traffic Size Check at Egress Gigabit Ethernet and 10-Gigabit Ethernet Ports	135
Ethernet Ports	135
Ethernet Port Overview	135
Layer 3 Ethernet Ports	136
Layer 2 Ethernet Ports	136
VLAN Interfaces	136
Configuring MTU Sizes	136
Configuring the MTU Size	136
Configuring the Global Egress LAN Port MTU Size	137
Configuring IEEE 802.3x Flow Control	137
Configuring the Port Debounce Timer	138
Adding a Description for an Interface	140
Understanding Online Insertion and Removal	140
Monitoring and Maintaining Interfaces	141
Monitoring Interface Status	141
Clearing Counters on an Interface	141
Resetting an Interface	142
Shutting Down and Restarting an Interface	142
Checking the Cable Status Using the TDR	143
Configuring LAN Ports for Layer 2 Switching	145
Understanding How Layer 2 Switching Works	145
Understanding Layer 2 Ethernet Switching	146
Layer 2 Ethernet Switching Overview	146
Switching Frames Between Segments	146
Building the Address Table	146
Understanding VLAN Trunks	147
Trunking Overview	147
Encapsulation Types	147
Layer 2 LAN Port Modes	148
Default Layer 2 LAN Interface Configuration	149
Layer 2 LAN Interface Configuration Guidelines and Restrictions	149
Configuring LAN Interfaces for Layer 2 Switching	150
Configuring a LAN Port for Layer 2 Switching	151
Configuring a Layer 2 Switching Port as a Trunk	152
Configuring the Layer 2 Switching Port as an ISL or 802.1Q Trunk	152
Configuring the Layer 2 Trunk to Use DTP	153
Configuring the Layer 2 Trunk Not to Use DTP	153
Configuring the Access VLAN	154
Configuring the 802.1Q Native VLAN	154
Configuring the List of VLANs Allowed on a Trunk	155
Configuring the List of Prune-Eligible VLANs	155
Completing Trunk Configuration	156
Verifying Layer 2 Trunk Configuration	156
Configuration and Verification Examples	157
Configuring a LAN Interface as a Layer 2 Access Port	158
Configuring a Custom IEEE 802.1Q EtherType Field Value	159
Configuring Flex Links	161
Understanding Flex Links	161
Configuring Flex Links	162
Flex Links Default Configuration	162
Flex Links Configuration Guidelines and Restrictions	162
Configuring Flex Links	163
Monitoring Flex Links	164
Configuring EtherChannels	165
Understanding How EtherChannels Work	165
EtherChannel Feature Overview	166
Understanding How EtherChannels Are Configured	166
EtherChannel Configuration Overview	166
Understanding Manual EtherChannel Configuration	167
Understanding PAgP EtherChannel Configuration	167
Understanding IEEE 802.3ad LACP EtherChannel Configuration	168
Understanding Port Channel Interfaces	169
Understanding Load Balancing	169
EtherChannel Feature Configuration Guidelines and Restrictions	169
Configuring EtherChannels	171
Configuring Port Channel Logical Interfaces for Layer 3 EtherChannels	171
Configuring Channel Groups	172
Configuring the LACP System Priority and System ID	174
Configuring EtherChannel Load Balancing	175
Configuring the EtherChannel Min-Links Feature	176
Configuring VTP	177
Understanding How VTP Works	177
Understanding the VTP Domain	178
Understanding VTP Modes	178
Understanding VTP Advertisements	179
Understanding VTP Version 2	179
Understanding VTP Pruning	180
VTP Default Configuration	181
VTP Configuration Guidelines and Restrictions	181
Configuring VTP	182
Configuring VTP Global Parameters	182
Configuring a VTP Password	183
Enabling VTP Pruning	183
Enabling VTP Version 2	184
Configuring the VTP Mode	185
Displaying VTP Statistics	186
Configuring VLANs	189
Understanding How VLANs Work	189
VLAN Overview	190
VLAN Ranges	190
Configurable VLAN Parameters	191
Understanding Token Ring VLANs	191
Token Ring TrBRF VLANs	191
Token Ring TrCRF VLANs	192
VLAN Default Configuration	194
VLAN Configuration Guidelines and Restrictions	196
Configuring VLANs	197
VLAN Configuration Options	197
VLAN Configuration in Global Configuration Mode	197
VLAN Configuration in VLAN Database Mode	198
Creating or Modifying an Ethernet VLAN	198
Assigning a Layer 2 LAN Interface to a VLAN	200
Configuring the Internal VLAN Allocation Policy	200
Configuring VLAN Translation	201
VLAN Translation Guidelines and Restrictions	201
Configuring VLAN Translation on a Trunk Port	203
Enabling VLAN Translation on Other Ports in a Port Group	203
Mapping 802.1Q VLANs to ISL VLANs	204
Saving VLAN Information	205
Configuring Private VLANs	207
Understanding How Private VLANs Work	207
Private VLAN Domains	208
Private VLAN Ports	209
Primary, Isolated, and Community VLANs	209
Private VLAN Port Isolation	210
IP Addressing Scheme with Private VLANs	210
Private VLANs Across Multiple Routers	211
Private VLAN Interaction with Other Features	211
Private VLANs and Unicast, Broadcast, and Multicast Traffic	212
Private VLANs and SVIs	212
Private VLAN Configuration Guidelines and Restrictions	212
Secondary and Primary VLAN Configuration	213
Private VLAN Port Configuration	215
Limitations with Other Features	215
Configuring Private VLANs	217
Configuring a VLAN as a Private VLAN	217
Associating Secondary VLANs with a Primary VLAN	218
Mapping Secondary VLANs to the Layer 3 VLAN Interface of a Primary VLAN	219
Configuring a Layer 2 Interface as a Private VLAN Host Port	220
Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port	221
Monitoring Private VLANs	223
Configuring Cisco IP Phone Support	225
Understanding Cisco IP Phone Support	225
Cisco IP Phone Connections	226
Cisco IP Phone Voice Traffic	226
Cisco IP Phone Data Traffic	227
Cisco IP Phone Power Configurations	227
Locally Powered Cisco IP Phones	227
Inline-Powered Cisco IP Phones	228
Other Cisco IP Phone Features	228
Default Cisco IP Phone Support Configuration	229
Cisco IP Phone Support Configuration Guidelines and Restrictions	229
Configuring Cisco IP Phone Support	230
Configuring Voice Traffic Support	230
Configuring Data Traffic Support	231
Configuring Inline Power Support	232
Configuring IEEE 802.1Q Tunneling	235
Understanding How 802.1Q Tunneling Works	235
802.1Q Tunneling Configuration Guidelines and Restrictions	237
Configuring 802.1Q Tunneling	240
Configuring 802.1Q Tunnel Ports	240
Configuring the Router to Tag Native VLAN Traffic	240
Configuring Layer 2 Protocol Tunneling	243
Understanding How Layer 2 Protocol Tunneling Works	243
Configuring Support for Layer 2 Protocol Tunneling	244
Configuring Standard-Compliant IEEE MST	247
Understanding MST	247
MST Overview	248
MST Regions	248
IST, CIST, and CST	249
IST, CIST, and CST Overview	249
Spanning Tree Operation Within an MST Region	250
Spanning Tree Operations Between MST Regions	250
IEEE 802.1s Terminology	251
Hop Count	252
Boundary Ports	252
Standard-Compliant MST Implementation	253
Changes in Port-Role Naming	253
Spanning Tree Interoperation Between Legacy and Standard-Compliant Routers	254
Detecting Unidirectional Link Failure	254
Interoperability with IEEE 802.1D-1998 STP	255
Understanding RSTP	255
Port Roles and the Active Topology	256
Rapid Convergence	257
Synchronization of Port Roles	258
Bridge Protocol Data Unit Format and Processing	259
BPDU Format and Processing Overview	259
Processing Superior BPDU Information	260
Processing Inferior BPDU Information	260
Topology Changes	261
Configuring MST	261
Default MST Configuration	262
MST Configuration Guidelines and Restrictions	262
Specifying the MST Region Configuration and Enabling MST	263
Configuring the Root Bridge	265
Configuring a Secondary Root Bridge	266
Configuring Port Priority	267
Configuring Path Cost	268
Configuring the Switch Priority	269
Configuring the Hello Time	270
Configuring the Forwarding-Delay Time	271
Configuring the Transmit Hold Count	271
Configuring the Maximum-Aging Time	272
Configuring the Maximum-Hop Count	272
Specifying the Link Type to Ensure Rapid Transitions	272
Designating the Neighbor Type	273
Restarting the Protocol Migration Process	274
Displaying the MST Configuration and Status	274
Configuring STP and Prestandard IEEE 802.1s MST	275
Understanding How STP Works	276
STP Overview	276
Understanding the Bridge ID	276
Bridge Priority Value	277
Extended System ID	277
STP MAC Address Allocation	277
Understanding Bridge Protocol Data Units	278
Election of the Root Bridge	278
STP Protocol Timers	279
Creating the Spanning Tree Topology	279
STP Port States	280
STP Port State Overview	280
Blocking State	282
Listening State	283
Learning State	284
Forwarding State	285
Disabled State	286
STP and IEEE 802.1Q Trunks	286
Understanding How IEEE 802.1w RSTP Works	287
IEEE 802.1w RSTP Overview	287
RSTP Port Roles	287
RSTP Port States	288
Rapid-PVST	288
Understanding How Prestandard IEEE 802.1s MST Works	288
IEEE 802.1s MST Overview	289
MST-to-PVST Interoperability	290
Common Spanning Tree	292
MST Instances	292
MST Configuration Parameters	292
MST Regions	293
MST Region Overview	293
Boundary Ports	293
IST Master	294
Edge Ports	294
Link Type	294
Message Age and Hop Count	294
Default STP Configuration	295
STP and MST Configuration Guidelines and Restrictions	295
Configuring STP	296
Enabling STP	296
Enabling the Extended System ID	298
Configuring the Root Bridge	298
Configuring a Secondary Root Bridge	300
Configuring STP Port Priority	301
Configuring STP Port Cost	302
Configuring the Bridge Priority of a VLAN	304
Configuring the Hello Time	305
Configuring the Forward-Delay Time for a VLAN	306
Configuring the Maximum Aging Time for a VLAN	306
Enabling Rapid-PVST	307
Specifying the Link Type	307
Restarting Protocol Migration	307
Configuring Prestandard IEEE 802.1s MST	307
Enabling MST	308
Displaying MST Configurations	309
Configuring MST Instance Parameters	313
Configuring MST Instance Port Parameters	314
Restarting Protocol Migration	314
Configuring Optional STP Features	317
Understanding How PortFast Works	318
Understanding How BPDU Guard Works	318
Understanding How PortFast BPDU Filtering Works	318
Understanding How UplinkFast Works	319
Understanding How BackboneFast Works	320
Understanding How EtherChannel Guard Works	322
Understanding How Root Guard Works	323
Understanding How Loop Guard Works	323
Enabling PortFast	324
Enabling PortFast BPDU Filtering	326
Enabling BPDU Guard	328
Enabling UplinkFast	328
Enabling BackboneFast	329
Enabling EtherChannel Guard	330
Enabling Root Guard	330
Enabling Loop Guard	331
Configuring Layer 3 Interfaces	333
Layer 3 Interface Configuration Guidelines and Restrictions	334
Configuring Subinterfaces on Layer 3 Interfaces	334
Configuring IPv4 Routing and Addresses	336
Configuring IPX Routing and Network Numbers	340
Configuring AppleTalk Routing, Cable Ranges, and Zones	341
Configuring Other Protocols on Layer 3 Interfaces	342
Configuring UDE and UDLR	343
Understanding UDE and UDLR	343
UDE and UDLR Overview	343
Supported Hardware	344
Understanding UDE	344
UDE Overview	344
Understanding Hardware-Based UDE	344
Understanding Software-Based UDE	345
Understanding UDLR	345
Configuring UDE and UDLR	345
Configuring UDE	345
UDE Configuration Guidelines	346
Configuring Hardware-Based UDE	346
Configuring Software-Based UDE	347
Configuring UDLR	348
UDLR Back-Channel Tunnel Configuration Guidelines	348
Configuring a Receive-Only Tunnel Interface for a UDE Send-Only Port	349
Configuring a Send-Only Tunnel Interface for a UDE Receive-Only Port	349
Router A Configuration	350
Router B Configuration	350
Configuring PFC3BXL and PFC3B Mode Multiprotocol Label Switching	351
PFC3BXL and PFC3B Mode MPLS Label Switching	351
Understanding MPLS	352
Understanding PFC3BXL and PFC3B Mode MPLS Label Switching	352
IP to MPLS	353
MPLS to MPLS	354
MPLS to IP	354
MPLS VPN Forwarding	354
Recirculation	354
Supported Hardware Features	355
Supported Cisco IOS Features	355
MPLS Guidelines and Restrictions	357
PFC3BXL and PFC3B Mode MPLS Supported Commands	357
Configuring MPLS	358
MPLS Per-Label Load Balancing	358
Basic MPLS Load Balancing	358
MPLS Layer 2 VPN Load Balancing	358
MPLS Layer 3 VPN Load Balancing	358
MPLS Configuration Examples	358
PFC3BXL or PFC3B Mode VPN Switching	360

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1,000
1,001
1,002
1,003
1,004
1,005
1,006
1,007
1,008
1,009
1,010
1,011

Match case Limit results 1 per page

38-12

Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX

OL-4266-08

Chapter 38

Configuring Dynamic ARP Inspection

Configuring DAI

•

These are the additional validations:

–

dst-mac

—Checks the destination MAC address in the Ethernet header against the target MAC

address in ARP body. This check is performed for ARP responses. When enabled, packets with

different MAC addresses are classified as invalid and are dropped.

–

—Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0,

255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP

requests and responses, and target IP addresses are checked only in ARP responses.

–

src-mac

—Checks the source MAC address in the Ethernet header against the sender MAC

address in the ARP body. This check is performed on both ARP requests and responses. When

enabled, packets with different MAC addresses are classified as invalid and are dropped.

This example shows how to enable src-mac additional validation:

Router#

configure terminal

Enter configuration commands, one per line.

End with CNTL/Z.

Router(config)#

ip arp inspection validate src-mac

Router(config)#

do show ip arp inspection | include abled$

Source Mac Validation

: Enabled

Destination Mac Validation : Disabled

IP Address Validation

: Disabled

This example shows how to enable dst-mac additional validation:

Router#

configure terminal

Enter configuration commands, one per line.

End with CNTL/Z.

Router(config)#

ip arp inspection validate dst-mac

Router(config)#

do show ip arp inspection | include abled$

Source Mac Validation

: Disabled

Destination Mac Validation : Enabled

IP Address Validation

: Disabled

This example shows how to enable ip additional validation:

Router#

configure terminal

Enter configuration commands, one per line.

End with CNTL/Z.

Router(config)#

ip arp inspection validate ip

Router(config)#

do show ip arp inspection | include abled$

Source Mac Validation

: Disabled

Destination Mac Validation : Disabled

IP Address Validation

: Enabled

This example shows how to enable src-mac and dst-mac additional validation:

Router#

configure terminal

Enter configuration commands, one per line.

End with CNTL/Z.

Router(config)#

ip arp inspection validate src-mac dst-mac

Router(config)#

do show ip arp inspection | include abled$

Source Mac Validation

: Enabled

Destination Mac Validation : Enabled

IP Address Validation

: Disabled

This example shows how to enable src-mac, dst-mac, and ip additional validation:

Router#

configure terminal

Enter configuration commands, one per line.

End with CNTL/Z.

Router(config)#

ip arp inspection validate src-mac dst-mac ip

Router(config)#

do show ip arp inspection | include abled$

Source Mac Validation

: Enabled

Destination Mac Validation : Enabled

IP Address Validation

: Enabled