KB.15.15

Configuring Additional Validation Checks on ARP Packets

Dynamic ARP protection can be configured to perform additional validation checks on ARP packets.

By default, no additional checks are performed. To configure additional validation checks, enter

the arp-protect validate command at the global configuration level.

Syntax

[no]arp-protect validate <[src-mac] | [dest-mac] | [ip]>

src-mac

(Optional) Drops any ARP request or response packet in which the source MAC

address in the Ethernet header does not match the sender MAC address in the

body of the ARP packet.

dest-mac

(Optional) Drops any unicast ARP response packet in which the destination

MAC address in the Ethernet header does not mach the target MAC address

in the body of the ARP packet.

(Optional) Drops any ARP packet in which the sender IP address is invalid.

Drops any ARP response packet in which the target IP address is invalid. Invalid

IP addresses include: 0.0.0.0, 255.255.255.255, all IP multicast addresses,

and all Class E IP addresses.

You can configure one or more of the validation checks. The following example of the

arp-protect validate command shows how to configure the validation checks for source

MAC address and destination AMC address:

HP Switch(config)# arp-protect validate src-mac dest-mac

Verifying the configuration of dynamic ARP protection

To display the current configuration of dynamic ARP protection, including the additional validation

checks and the trusted ports that are configured, enter the show arp-protect command:

Figure 259 The show arp-protect command

Configuring DHCP snooping trusted ports

By default, all ports are untrusted. To configure a port or range of ports as trusted, enter this

command:

HP Switch(config)# dhcp-snooping trust <port-list>

You can also use this command in the interface context, in which case you are not able to enter

a list of ports.

362 Port Security