Online demo
Contact us
11.14. Arp Inspection Commands
11.14.1. show ip arp inspection
Command Purpose
Use this command to display the configuration of arp inspection.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show ip arp inspection
Command Mode
Privileged EXEC
Default
None
Usage
This command is used to show the general configuration of arp inspection.
Examples
This example shows how to display the information of arp inspection:
Switch# show ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration ACL Match Static ACL
=================================================================
1 enabled acl
Vlan ACL Logging DHCP Logging
=================================================================
1 deny deny
Vlan Forwarded Dropped DHCP Drops ACL Drops
=================================================================
1 0 0 0 0
Vlan DHCP Permits ACL Permits Source MAC Failures
=================================================================
1 0 0 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
=================================================================
1 0 0 0
11.14.2. show ip arp inspection interfaces
Command Purpose
Use this command to display the arp inspection configuration of specified interface.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show ip arp inspection interfaces ( IFNAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
IFNAME |
Interface name |
Support physical/aggregation/loopback/vlan/tunnelports |
Command Mode
Privileged EXEC
Default
No default is defined.
Usage
This command is used to show the arp inspection configuration on interface.
Examples
This example shows how to display all the arp inspection configuration of all interface.:
Switch# show ip arp inspection interfaces
Interface Trust State
================================
eth-0-1 untrusted
eth-0-2 untrusted
eth-0-3 untrusted
eth-0-4 untrusted
eth-0-5 untrusted
eth-0-6 untrusted
eth-0-7 untrusted
eth-0-8 untrusted
eth-0-9 untrusted
eth-0-10 untrusted
eth-0-11 untrusted
eth-0-12 untrusted
eth-0-13 untrusted
eth-0-14 untrusted
eth-0-15 untrusted
eth-0-16 untrusted
eth-0-17 untrusted
eth-0-18 untrusted
eth-0-19 untrusted
eth-0-20 untrusted
eth-0-21 untrusted
eth-0-22 untrusted
eth-0-23 untrusted
eth-0-24 untrusted
eth-0-25 untrusted
eth-0-26 untrusted
eth-0-27 untrusted
eth-0-28 untrusted
eth-0-29 untrusted
eth-0-30 untrusted
eth-0-31 untrusted
eth-0-32 untrusted
eth-0-33 untrusted
eth-0-34 untrusted
eth-0-35 untrusted
eth-0-36 untrusted
eth-0-37 untrusted
eth-0-38 untrusted
eth-0-39 untrusted
eth-0-40 untrusted
eth-0-41 untrusted
eth-0-42 untrusted
eth-0-43 untrusted
eth-0-44 untrusted
eth-0-45 untrusted
eth-0-46 untrusted
eth-0-47 untrusted
eth-0-48 untrusted
Related Commands
ip arp inspection trust
11.14.3. show ip arp inspection log
Command Purpose
Use this command to display the log configuration and log information in arp inspection log buffer. The default number is 32.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show ip arp inspection log ( NUMBER | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
NUMBER |
Specify the number of message |
1-1024 |
Command Mode
Privileged EXEC
Default
No default is defined.
Usage
This command is used to verify arp inspection log settings.
Examples
This example shows how to display the log information in arp inspection log buffer.:
Switch# show ip arp inspection log
Total Log Buffer Size : 32
Syslog rate : 5 entries per 1 seconds.
No entries in log buffer
Related Commands
ip arp inspection log-buffer
11.14.4. show ip arp inspection statistics
Command Purpose
Use this command to displays statistics for forwarded, dropped, MAC validation failure, IP validation failure, ACL permitted and denied, and DHCP permitted and denied packets for the specified vlan. If no vlans are specified or if a range is specified, displays information only for vlans with ARP Inspection enabled.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show ip arp inspection statistics ( vlan VLAN_RNG_STR | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
vlan VLAN_RNG_STR |
Selected vlan range |
valid vlan ID range is 1-4094.Use short bar(-) to describe continuous VLANs, use comma(,) to describe non-continuous VLANs. For example:1,3-5,7,9-11 |
Command Mode
Privileged EXEC
Default
No default is defined.
Usage
Displays statistics for forwarded, dropped, MAC validation failure, IP validation failure, ACL permitted and denied, and DHCP permitted and denied packets for the specified VLAN.
Examples
This example shows how to display the arp inspection statistics:
Switch# show ip arp inspection statistics vlan 1
Vlan Forwarded Dropped DHCP Drops ACL Drops
=================================================================
1 0 0 0 0
Vlan DHCP Permits ACL Permits Source MAC Failures
=================================================================
1 0 0 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
=================================================================
1 0 0 0
Related Commands
clear ip arp inspection statistics
11.14.5. show ip arp inspection vlan
Command Purpose
Use this command to displays the configuration and the operating state of ARP Inspection for the specified vlan.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show ip arp inspection vlan VLAN_RNG_STR
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
vlan VLAN_RNG_STR |
Selected vlan range |
valid vlan ID range is 1-4094.Use short bar(-) to describe continuous VLANs, use comma(,) to describe non-continuous VLANs. For example:1,3-5,7,9-11 |
Command Mode
Privileged EXEC
Default
No default is defined.
Usage
If no vlans are specified or if a range is specified, displays information only for vlans with ARP Inspection enabled.
Examples
This example shows how to display the arp inspection statistics:
Switch# show ip arp inspection vlan 1
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration ACL Match Static ACL
=================================================================
1 enabled acl
Vlan ACL Logging DHCP Logging
=================================================================
1 deny deny
Related Commands
ip arp inspection vlan
11.14.6. show debugging arp inspection
Command Purpose
Use this command to display the debug information of ARP Inspection.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show debugging arp inspection
Command Mode
Privileged EXEC
Default
No default is defined.
Usage
This command is used to show the general configuration of arp inspection.
Examples
This example shows how to display the debug information of ARP Inspection:
Switch# show debugging arp inspection
arp inspection debugging status:
packet debugging is on
error debugging is on
Related Commands
debug arp inspection
11.14.7. debug arp inspection
Command Purpose
Use this command to configure ARP Inspection debug.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
debug arp inspection ( all | packet | events | error )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
all |
Turn all debugging on |
- |
packet |
ARP message fields |
- |
events |
ARP Inspection events |
- |
error |
Error DHCP message |
- |
Command Mode
Privileged EXEC
Default
All debug disabled.
Usage
This command is used to debug arp inspection, including all, error, events, packet.
Examples
This example shows how to use this command to debug all error ARP packet:
Switch# debug ip arp inspection error
Related Commands
show debugging arp inspection
11.14.8. ip arp inspection filter vlan
Command Purpose
Use this command to applies the ARP ACL to a VLAN.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
ip arp inspection filter acl vlan VLAN_RNG_STR ( static | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
acl |
ARP acl name |
- |
VLAN_RNG_STR |
Selected vlan range |
valid vlan ID range is 1-4094.Use short bar(-) to describe continuous VLANs, use comma(,) to describe non-continuous VLANs. For example:1,3-5,7,9-11 |
static |
Apply the ACL statically |
- |
Command Mode
Global Config
Default
No default is defined.
Usage
This command is used to show the general configuration of arp inspection.
Examples
This example shows how to apply the ARP ACL to a vlan 2:
Switch# configure terminal
Switch(config)# ip arp inspection filter acl vlan 2 static
Related Commands
arp access-list
11.14.9. ip arp inspection log-buffer entries
Command Purpose
Use this command to set log-buffer size.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
ip arp inspection log-buffer entries NUMBER
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
NUMBER |
Number of log buffer |
10-1024 |
Command Mode
Global Config
Default
None
Usage
The no command reverts the log-buffer to the default buffer size (32).
Examples
This example shows how to set log-buffer size to 10:
Switch# configure terminal
Switch(config)# ip arp inspection log-buffer entries 10
Related Commands
show ip arp inspection log
11.14.10. ip arp inspection log-buffer logs interval
Command Purpose
Use this command to configure the DAI logging system messages. The no command reverts the default system message configuration.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
ip arp inspection log-buffer logs NUMBER interval INTERVAL
no ip arp inspection log-buffer logs
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
NUMBER |
Number of log buffer |
0-1024 |
INTERVAL |
Interval (seconds) |
0-86400 seconds |
Command Mode
Global Config
Default
Default number of log buffer is 5, default interval is 1
Usage
An interval of 0 indicates that the log will be recorded into syslog immediately.
If the interval is not 0,a logs of 0 indicates that the log will not be recorded into syslog;if logs is not 0,the logs log will be recorded into syslog every interval time.
Examples
This example shows how to configure logging to send 12 messages every 2 seconds:
Switch# configure terminal
Switch(config)# ip arp inspection log-buffer logs 12 interval 2
Related Commands
None
11.14.11. ip arp inspection validate
Command Purpose
Use this command to enable additional validation on the destination MAC address, the sender and target IP addresses, and the source MAC address.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
[ no ] ip arp inspection validate ( dst-mac | ip | src-mac )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
dst-mac |
Validate destination MAC address |
- |
ip |
Validate IP addresses |
- |
src-mac |
Validate source MAC address |
- |
Command Mode
Global Config
Default
No default is defined.
Usage
For src-mac, check the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
For dst-mac, check the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
For ip, check the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses.
Examples
This example shows how to enable additional validation on the destination MAC address.:
Switch# configure terminal
Switch(config)# ip arp inspection validate dst-mac
Related Commands
show ip arp inspection
11.14.12. ip arp inspection vlan
Command Purpose
Use this command to enable ARP Inspection on vlans.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
[ no ] ip arp inspection vlan VLAN_ID
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
VLAN_ID |
Vlan range |
valid vlan ID range is 1-4094.Use short bar(-) to describe continuous VLANs, use comma(,) to describe non-continuous VLANs. For example:1,3-5,7,9-11 |
Command Mode
Global Config
Default
No default is defined.
Usage
Enable ARP Inspection on vlans.
Examples
This example shows how to enable ARP Inspection on VLAN 2.:
Switch# configure terminal
Switch(config)# ip arp inspection vlan 2
Related Commands
show ip arp inspection vlan 2
11.14.13. ip arp inspection vlan logging acl-macth
Command Purpose
Use this command to configure ARP Inspection log filtering.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
[ no ] ip arp inspection vlan VLAN_ID logging acl-macth ( matchlog | none )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
VLAN_ID |
Vlan range |
valid vlan ID range is 1-4094.Use short bar(-) to describe continuous VLANs, use comma(,) to describe non-continuous VLANs. For example:1,3-5,7,9-11 |
matchlog |
Log packets on ACE logging configuration |
- |
none |
Do not log packets that match ACLs |
- |
Command Mode
Global Config
Default
No default is defined.
Usage
If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access-list configuration command, ARP packets permitted or denied by the ARP Inspection are logged.
Examples
This example shows how to log permitted ARP packets on vlan 2:
Switch# configure terminal
Switch(config)# ip arp inspection vlan 2 logging acl-match matchlog
Related Commands
ip arp inspection vlan
11.14.14. ip arp inspection vlan logging dhcp-bindings
Command Purpose
Use this command to configure ARP Inspection log filtering.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
[ no ] ip arp inspection vlan VLAN_ID logging dhcp-bindings ( all | none | permit )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
VLAN_ID |
Vlan range |
valid vlan ID range is 1-4094.Use short bar(-) to describe continuous VLANs, use comma(,) to describe non-continuous VLANs. For example:1,3-5,7,9-11 |
all |
Log all packets that match DHCP bindings |
- |
permit |
Log DHCP Binding Permitted packets |
- |
none |
Do not log packets that match DHCP bindings |
- |
Command Mode
Global Config
Default
No default is defined.
Usage
If the command is set, the information that match the dhcp-bings will be loged.
Examples
This example shows how to Logs all packets that match DHCP bindings on vlan 2:
Switch# configure terminal
Switch(config)# ip arp inspection vlan 2 logging dhcp-bindings all
Related Commands
show ip arp inspection vlan
11.14.15. clear ip arp inspection log-buffer
Command Purpose
Use this command to delete all log in log-buffer.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
clear ip arp inspection log-buffer
Command Mode
Privileged EXEC
Default
No default is defined.
Usage
This command is used to delete all log in log-buffer.
Examples
This example shows how to delete all log in log-buffer:
Switch# clear ip arp inspection log-buffer
Related Commands
ip arp inspection log-buffer logs
11.14.16. clear ip arp inspection statistics
Command Purpose
Use this command to delete all statistics of ARP Inspection.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
clear ip arp inspection statistics
Command Mode
Global Config
Default
No default is defined.
Usage
This command is used to delete all statistics of ARP Inspection.
Examples
This example shows how to delete all statistics of ARP Inspection:
Switch# configure terminal
Switch(config)# clear ip arp inspection statistics
Related Commands
show ip arp inspection statistics
11.14.17. ip arp inspection trust
Command Purpose
Use this command to configure the ARP Inspection interface trust state.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
ip arp inspection trust
no ip arp inspection trust
Command Mode
Interface Configuration
Default
No default is defined.
Usage
In a typical network configuration, you configure all switch ports connected to host ports as untrusted and configure all switch ports connected to switches as trusted.
Examples
This example shows how to configure the ARP Inspection interface eth-0-2 untrusted state:
Switch# configure terminal
Switch(config)# interface eth-0-1
Switch(config-if)# no ip arp inspection trust
Related Commands
show ip arp inspection interfaces
11.14.18. arp access-list
Command Purpose
Use this command to configure a ARP ACL
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
arp access-list ACL_NAME
no arp access-list ACL_NAME
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
ACL_NAME |
A arp access-list name |
String with up to 40 characters |
Command Mode
Global Config
Default
No default is defined.
Usage
In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses.
Examples
This example shows how to configure a ARP ACL:
Switch# configure terminal
Switch(config)# arp access-list acl1
Related Commands
show access-list arp
11.14.19. ip mac
Command Purpose
Use this command to configure ARP ACEs.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
( deny | permit ) ( request | response | ) ip ( IP_ADDR IP_ADDR_MASK | any | host IP_ADDR ) mac ( MAC_ADDR MAC_ADDR_MASK | any | host MAC_ADDR ) ( log | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
deny |
Specify packets to reject |
- |
permit |
Log all packets that match DHCP bindings |
- |
request |
Log DHCP Binding Permitted packets |
- |
response |
Do not log packets that match DHCP bindings |
- |
IP_ADDR |
Sender address |
IPv4 address |
IP_ADDR_MASK |
Sender wildcard bits |
IPv4 wildcard |
any |
Any sender host |
- |
host |
A single Sender host |
- |
MAC_ADDR |
Sender host`s MAC address |
MAC address in HHHH.HHHH.HHHH format |
MAC_ADDR_MASK |
Sender wildcard |
MAC wildcard in HHHH.HHHH.HHHH format |
log |
Log at match |
- |
Command Mode
ARP ACL Configuration
Default
No default is defined.
Usage
Use this command to add ARP ACE to ARP ACL.
Examples
This example shows how to configure a ARP ACE:
Switch# configure terminal
Switch(config)# arp access-list acl1
Switch(config-arp-acl)# permit ip host 192.168.1.1 mac any
Related Commands
show access-list arp
11.14.20. no sequence-num
Command Purpose
Use this command to delete a ARP ACE.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
no sequence-num NUMBER
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
NUMBER |
Specify a sequence number |
1-131071 |
Command Mode
ARP ACL Configuration
Default
No default is defined.
Usage
This command is used to delete ARP ACE configured.
Examples
This example shows how to delete a ARP ACE:
Switch# configure terminal
Switch(config)# arp access-list acl1
Switch(config-arp-acl)# no sequence-num 10
Related Commands
show access-list arp
11.14.21. show access-list arp
Command Purpose
Use this command to display the arp acl configuration.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show access-list arp ( ACL_NAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
ACL_NAME |
A arp access-list name |
String with up to 40 characters |
Command Mode
Privileged EXEC
Default
No default is defined.
Usage
This command is used to display the arp acl configured by arp acl.
Examples
This example shows how to display arp ace:
Switch# show access-list arp
arp access-list acl
10 permit request ip 1.1.1.1 0.255.255.255 mac any
Related Commands
arp access-list