Security
ARP Inspection
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 377
18
STEP 1 Click Security > ARP Inspection > Properties.
Enter the following fields:
• ARP Inspection Status—Select to enable ARP Inspection.
• ARP Packet Validation—Select to enable the following validation checks:
- Source MAC — Compares the packets source MAC address in the
Ethernet header against the senders MAC address in the ARP request.
This check is performed on both ARP requests and responses.
- Destination MAC — Compares the packets destination MAC address in
the Ethernet header against the destination interfaces MAC address. This
check is performed for ARP responses.
- IP Addresses — Compares the ARP body for invalid and unexpected IP
addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP
Multicast addresses.
• Log Buffer Interval—Select one of the following options:
- Retry Frequency—Enable sending SYSLOG messages for dropped
packets. Entered the frequency with which the messages are sent.
- Never—Disabled SYSLOG dropped packet messages.
STEP 2 Click Apply. The settings are defined, and the Running Configuration file is
updated.
Defining Dynamic ARP Inspection Interfaces Settings
Packets from untrusted ports/LAGs are checked against the ARP Access Rules
table and the DHCP Snooping Binding database if DHCP Snooping is enabled (see
the DHCP Snooping Binding Database page).
By default, ports/LAGs are ARP Inspection untrusted.
To change the ARP trusted status of a port/LAG:
STEP 1 Click Security > ARP Inspection > Interface Settings.
The ports/LAGs and their ARP trusted/untrusted status are displayed.
STEP 2 To set a port/LAG as untrusted, select the port/LAG and click Edit.
