Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

251

252

253

254

255

256

257

258

259

260

Configuring dynamic ARP inspection-limit

To configure dynamic ARP inspection rate limit on a port, perform the following task.

1. Enter into global configuration mode.

EXEC Privilege mode

configure terminal

2. Select the interface to be configured.

CONFIGURATION mode

interface interface-name

3. Configure ARP packet inspection rate limiting.

INTERFACE CONFIGURATION mode

arp inspection-limit {rate pps [interval seconds]}

The rate packet per second (pps) range is from 1 to 2048. The default is 15.

The rate burst interval range is from 1 to 15 seconds. The default is 1.

DellEMC# show running-config interface gigabitethernet 1/1

interface GigabitEthernet 1/1

no ip address

switchport

arp inspection-limit rate 15 interval 1

no shutdown

DellEMC#

Bypassing the ARP Inspection

You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in multi-switch environments.

ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by default.

To bypass the ARP inspection, use the following command.

• Specify an interface as trusted so that ARPs are not validated against the binding table.

INTERFACE mode

arp inspection-trust

Dynamic ARP inspection is supported on Layer 2 and Layer 3.

Source Address Validation

Using the DHCP binding table, Dell EMC Networking OS can perform three types of source address validation (SAV).

Table 18. Three Types of Source Address Validation

Source Address Validation Description

IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been

validated against the DHCP binding table.

DHCP MAC Source Address Validation Verifies a DHCP packet’s source hardware address matches the

client hardware address field (CHADDR) in the payload.

IP+MAC Source Address Validation Verifies that the IP source address and MAC source address are a

legitimate pair.

Enabling IP Source Address Validation

IP source address validation (SAV) prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding

table.

A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker. For example, using ARP

spoofing, an attacker can assume a legitimate client’s identity and receive traffic addressed to it. Then the attacker can spoof the client’s

IP address to interact with other clients.

Dynamic Host Configuration Protocol (DHCP)

251