Configuration of Dynamic ARP Inspection

This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection). This feature helps prevent malicious attacks on the router by not relaying invalid ARP requests and responses to other bridge-domains.


Note


For complete syntax and usage information for the commands that are used in this chapter, see the command reference for this release.


Restrictions

  • Dynamic ARP Inspection is supported only on bridge-domains; other interfaces such as VLANs are not supported.

  • ARP packets with broadcast MAC address or router MAC address is only supported. Dynamic ARP inspection is not supported for unknown unicast ARP requests and ARP replies.

  • On RSP3 platform, by default the ARP entries are not controlled, and these access ARP entries led to error objects. To control the ARP entry count within a limit, you should configure the following command on the router:

    router(config)#arp entries interface-limit <value> 

    The ARP entry count limit value is 1–2147483647.

Dynamic ARP Inspection

ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the broadcast domain receive the ARP request, and Host A responds with its MAC address. However, because ARP allows a gratuitous reply from a host even if an ARP request was not received, an ARP spoofing attack and the poisoning of ARP caches can occur. After the attack, all traffic from the device under attack flows through the attacker’s computer and then to the router, switch, or host.

A malicious user can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. Figure below shows an example of ARP cache poisoning.

Figure 1. ARP Cache Poisoning

Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA. When Host A needs to communicate to Host B at the IP layer, it broadcasts an ARP request for the MAC address associated with IP address IB. When the switch and Host B receive the ARP request, they populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA; for example, IP address IA is bound to MAC address MA. When Host B responds, the switch and Host A populate their ARP caches with a binding for a host with the IP address IB and the MAC address MB.

Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB. This means that Host C intercepts that traffic. Because Host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to Host B, the classic man-in-the middle attack.

Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks.

Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The router performs these activities:

  • Intercepts all ARP requests and responses on untrusted ports

  • Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination

  • Drops invalid ARP packets

Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the bridge-domains and on the router. If the ARP packet is received on a trusted interface, the router forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

You enable dynamic ARP inspection on a per-bridge-domain basis by using the ip arp inspection bridge-domain domain-id global configuration command.

You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header. Use the ip arp inspection validate [src-mac] [dst-mac] [ip] global configuration command. For more information, see the “Performing Validation Checks (optional)” section on page 1-11.

Interface Trust States and Network Security

Dynamic ARP inspection associates a trust state with each interface on the router. Packets arriving on trusted interfaces bypass all dynamic ARP inspection validation checks, and those arriving on untrusted interfaces undergo the dynamic ARP inspection validation process.

In a typical network configuration, you configure all switch ports connected to host ports as untrusted and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets entering the network from a given switch bypass the security check. No other validation is needed at any other place in the bridge-domain or in the network. You configure the trust setting by using the ip arp inspection trust interface configuration command.


Note


Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity.

In the figure below, assume that both Switch A and Switch B are running dynamic ARP inspection on the bridge-domain that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface between Switch A and Switch B is untrusted, the ARP packets from Host 1 are dropped by Switch B. Connectivity between Host 1 and Host 2 is lost.

Figure 2. ARP Packet Validation on a Bridge-Domain Enabled for Dynamic ARP Inspection

Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the network. If Switch A is not running dynamic ARP inspection, Host 1 can easily poison the ARP cache of Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running dynamic ARP inspection.

Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running dynamic ARP inspection.


Note


Depending on the setup of the DHCP server and the network, it might not be possible to validate a given ARP packet on all switches in the bridge-domain.

Rate Limiting of ARP Packets

The switch CPU performs Dynamic ARP Inspection validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack. By default, the rate for untrusted interfaces is 15 packets per second (pps). Trusted interfaces are not rate-limited. You can change this setting by using the ip arp inspection limit interface configuration command.

When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the error-disabled state. The port remains in that state until you intervene. You can use the errdisable recovery global configuration command to enable error disable recovery so that ports automatically emerge from this state after a specified timeout period.

For configuration information, see the “Limiting the Rate of Incoming ARP Packets (optional)” section on page 1–9.

Logging of Dropped Packets

When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving bridge-domain, the port number, the source and destination IP addresses, and the source and destination MAC addresses.

You use the ip arp inspection log-buffer global configuration command to configure the number of entries in the buffer and the number of entries needed in the specified interval to generate system messages. You specify the type of packets that are logged by using the ip arp inspection bridge-domain logging global configuration command. For configuration information, see the . Configuring the Log Buffer (optional).

Configuring Dynamic ARP Inspection

Default Dynamic ARP Inspection Configuration

Table below shows the default dynamic ARP inspection configuration.

Table 1. Default Dynamic ARP Inspection Configuration
Feature Default Setting
Dynamic ARP inspection Disabled on all bridge-domains.
Interface trust state All interfaces are untrusted.
Rate limit of incoming ARP packets

The rate is 15 pps on untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.

The rate is unlimited on all trusted interfaces.

The burst interval is 1 second.

Validation checks

No checks are performed.

Log buffer

When dynamic ARP inspection is enabled, all denied or dropped ARP packets are logged.

The number of entries in the log is 32.

The number of system messages is limited to 5 per second.

The logging-rate interval is 1 second.

Per-bridge-domain logging All denied or dropped ARP packets are logged.

Dynamic ARP Inspection Configuration Guidelines

  • A physical port can join an EtherChannel port channel only when the trust state of the physical port and the channel port match. Otherwise, the physical port remains suspended in the port channel. A port channel inherits its trust state from the first physical port that joins the channel. Consequently, the trust state of the first physical port need not match the trust state of the channel.

Conversely, when you change the trust state on the port channel, the switch configures a new trust state on all the physical ports that comprise the channel.

  • The operating rate for the port channel is cumulative across all the physical ports within the channel. For example, if you configure the port channel with an ARP rate-limit of 400 pps, all the interfaces combined on the channel receive an aggregate 400 pps. The rate of incoming ARP packets on EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on the channel-port members.

The rate of incoming packets on a physical port is checked against the port-channel configuration rather than the physical-ports configuration. The rate-limit configuration on a port channel is independent of the configuration on its physical ports.

If the EtherChannel receives more ARP packets than the configured rate, the channel (including all physical ports) is placed in the error-disabled state.

  • Make sure to limit the rate of ARP packets on incoming trunk ports. Configure trunk ports with higher rates to reflect their aggregation and to handle packets across multiple dynamic ARP inspection-enabled bridge-domains. You also can use the ip arp inspection limit none interface configuration command to make the rate unlimited. A high rate-limit on one bridge-domain can cause a denial-of-service attack to other bridge-domains when the software places the port in the error-disabled state.

  • When you enable dynamic ARP inspection on the switch, policers that were configured to police ARP traffic are no longer effective. The result is that all ARP traffic is sent to the CPU.

  • The errdisable recovery cause arp-inspection interval and show ip arp inspection interfaces show errdisable recovery commands are not supported on the router.

Configuring Dynamic ARP Inspection in DHCP Environments

This procedure shows how to configure dynamic ARP inspection when two switches support this feature. Host 1 is connected to Switch A, and Host 2 is connected to Switch B Both switches are running dynamic ARP inspection on bridge-domain 1 where the hosts are located. A DHCP server is connected to Switch A. Both hosts acquire their IP addresses from the same DHCP server. Therefore, Switch A has the bindings for Host 1 and Host 2, and Switch B has the binding for Host 2.


Note


Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses.

Beginning in privileged EXEC mode, follow these steps to configure dynamic ARP inspection. You must perform this procedure on both switches. This procedure is required.

SUMMARY STEPS

  1. show cdp neighbors
  2. configure terminal
  3. ip arp inspection
  4. ip arp inspection bridge-domain id
  5. interface interface-id
  6. no shutdown
  7. ip arp inspection trust
  8. end
  9. show ip arp inspection interfaces show ip arp inspection bridge-domain id
  10. show ip dhcp snooping binding
  11. show ip arp inspection statistics bridge-domain id
  12. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

show cdp neighbors

Verify the connection between the switches.

Step 2

configure terminal

Enter global configuration mode.

Step 3

ip arp inspection

Enables dynamic ARP inspection globally.

Step 4

ip arp inspection bridge-domain id

Enable dynamic ARP inspection on a per-bridge-domain basis. By default, dynamic ARP inspection is disabled on all bridge-domains.

Specify the same bridge-domain ID for both switches.

Step 5

interface interface-id

Specify the interface connected to the other switch, and enter interface configuration mode.

Step 6

no shutdown

Enable the port, if necessary. By default, user network interfaces (UNIs) and enhanced network interfaces (ENIs) are disabled, and network node interfaces (NNIs) are enabled.

Step 7

ip arp inspection trust

Configure the connection between the switches as trusted.

By default, all interfaces are untrusted.

The switch does not check ARP packets that it receives from the other switch on the trusted interface. It simply forwards the packets.

For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection bridge-domain logging global configuration command. For more information, see the Configuring the Log Buffer (optional).

Step 8

end

Return to privileged EXEC mode.

Step 9

show ip arp inspection interfaces show ip arp inspection bridge-domain id

Verify the dynamic ARP inspection configuration.

Step 10

show ip dhcp snooping binding

Verify the DHCP bindings.

Step 11

show ip arp inspection statistics bridge-domain id

Check the dynamic ARP inspection statistics.

Step 12

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Example for Configuring Dynamic ARP Inspection

This example shows how to configure dynamic ARP inspection on Switch A. You would perform a similar procedure on Switch B:

Router(config)# ip arp inspection bridge-domain 1
Router(config)# interface gigabitethernet0/1
Router(config-if)# ip arp inspection trust

Disabling Dynamic ARP Inspection

To disable dynamic ARP inspection, use the no ip arp inspection bridge-domain global configuration command.

To return the interfaces to an untrusted state, use the no ip arp inspection trust interface configuration command.

Configuring ARP ACLs for Non-DHCP Environments

This procedure shows how to configure dynamic ARP inspection when Switch B does not support dynamic ARP inspection or DHCP snooping.

If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and Host 1 could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure port 1 on Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and apply it to bridge-domain 1. If the IP address of Host 2 is not static (it is impossible to apply the ACL configuration on Switch A) you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them.

Beginning in privileged EXEC mode, follow these steps to configure an ARP ACL on Switch A. This procedure is required in non-DHCP environments.

Before you begin

SUMMARY STEPS

  1. configure terminal
  2. ip arp inspection
  3. arp access-list acl-name
  4. permit ip host sender-ip mac host sender-mac [log]
  5. exit
  6. ip arp inspection filter arp-acl-name bridge-domain id [static]
  7. interface interface-id
  8. no shutdown
  9. no ip arp inspection trust
  10. end
  11. show arp access-list [acl-name] show ip arp inspection bridge-domain id show ip arp inspection interfaces
  12. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

ip arp inspection

Enables dynamic ARP inspection globally.

Step 3

arp access-list acl-name

Define an ARP ACL, and enter ARP access-list configuration mode. By default, no ARP access lists are defined.

Note

 
At the end of the ARP access list, there is an implicit deny ip any mac any command.

Step 4

permit ip host sender-ip mac host sender-mac [log]

Permit ARP packets from the specified host (Host 2).

  • For sender-ip, enter the IP address of Host 2.
  • For sender-mac, enter the MAC address of Host 2.
  • (Optional) Specify log to log a packet in the log buffer when it matches the access control entry (ACE). Matches are logged if you also configure the matchlog keyword in the ip arp inspection bridge-domain logging global configuration command.

Step 5

exit

Return to global configuration mode.

Step 6

ip arp inspection filter arp-acl-name bridge-domain id [static]

Apply the ARP ACL to the bridge-domain. By default, no defined ARP ACLs are applied to any bridge-domain.

  • For arp-acl-name, specify the name of the ACL created in Step 2.
  • (Optional) Specify static to treat implicit denies in the ARP ACL as explicit denies and to drop packets that do not match any previous clauses in the ACL. DHCP bindings are not used.

If you do not specify this keyword, it means that there is no explicit deny in the ACL that denies the packet, and DHCP bindings determine whether a packet is permitted or denied if the packet does not match any clauses in the ACL.

ARP packets containing only IP-to-MAC address bindings are compared against the ACL. Packets are permitted only if the access list permits them.

Step 7

interface interface-id

Specify the Switch A interface that is connected to Switch B, and enter interface configuration mode.

Step 8

no shutdown

Enable the port, if necessary. By default, UNIs and ENIs are disabled, and NNIs are enabled.

Step 9

no ip arp inspection trust

Configure the Switch A interface that is connected to Switch B as untrusted.

By default, all interfaces are untrusted.

For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection bridge-domain logging global configuration command.

Step 10

end

Return to privileged EXEC mode.

Step 11

show arp access-list [acl-name] show ip arp inspection bridge-domain id show ip arp inspection interfaces

Verify your entries.

Step 12

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Example for Configuring an ARP ACL

This example shows how to configure an ARP ACL called host2 on Switch A, to permit ARP packets from Host 2 (IP address 10.0.0.1 and MAC address 0001.0001.0001), to apply the ACL to bridge-domain 1, and to configure port 1 on Switch A as untrusted:

Router(config)# arp access-list host2
Router(config-arp-acl)# permit ip host 10.0.0.1 mac host 1.1.1
Router(config-arp-acl)# exit
Router(config)# ip arp inspection filter host2 bridge-domain 1
Router(config)# interface gigabitethernet0/1
Router(config-if)# no ip arp inspection trust

Removing the ARP ACL

To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP ACL attached to a bridge-domain, use the no ip arp inspection filter arp-acl-name bridge-domain id global configuration command.

To remove an APR ACL attached to a bridge-domain, use the no ip arp inspection filter arp-acl-name bridge-domain id global configuration command.

Limiting the Rate of Incoming ARP Packets (optional)

The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack.

When the rate of incoming ARP packets exceeds the configured limit (1150 packets), the switch places the port in the error-disabled state. The port remains in that state until you enable error-disabled recovery so that ports automatically emerge from this state after a specified timeout period.


Note


Unless you configure a rate limit on an interface (we recommend 1024 packets), changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit.

ARP inspection rate limit will not work for values above 1024.


For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the Dynamic ARP Inspection Configuration Guidelines.

Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. ip arp inspection
  3. interface interface-id
  4. no shutdown
  5. ip arp inspection limit {rate pps [burst interval seconds] | none}
  6. exit
  7. exit
  8. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

ip arp inspection

Enables dynamic ARP inspection globally.

Step 3

interface interface-id

Specify the interface to be rate-limited, and enter interface configuration mode.

Step 4

no shutdown

Enable the port, if necessary. By default, UNIs and ENIs are disabled, and NNIs are enabled.

Step 5

ip arp inspection limit {rate pps [burst interval seconds] | none}

Limit the rate of incoming ARP requests and responses on the interface.

The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces. The burst interval is 1 second.

The keywords have these meanings:

  • For rate pps, specify an upper limit for the number of incoming packets processed per second. The range is 0 to 2048 pps.

  • (Optional) For burst intervalseconds, specify the consecutive interval in seconds, over which the interface is monitored for a high rate of ARP packets.The range is 1 to 15.

  • For rate none, specify no upper limit for the rate of incoming ARP packets that can be processed.

Step 6

exit

Return to global configuration mode.

Step 7

exit

Return to privileged EXEC mode.

Step 8

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Note

 
To return to the default rate-limit configuration, use the no ip arp inspection limit interface configuration command. To disable error recovery for dynamic ARP inspection, use the no errdisable recovery cause arp-inspection global configuration command.

Performing Validation Checks (optional)

Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address.

Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP packets. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. ip arp inspection
  3. ip arp inspection validate {[src-mac] [dst-mac] [ip]}
  4. exit
  5. show ip arp inspection bridge-domain id
  6. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

ip arp inspection

Enables dynamic ARP inspection globally.

Step 3

ip arp inspection validate {[src-mac] [dst-mac] [ip]}

Perform a specific check on incoming ARP packets. By default, no checks are performed.

The keywords have these meanings:

  • For src-mac, check the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.

  • For dst-mac, check the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.

  • For ip, check the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses.

You must specify at least one of the keywords. Each command overrides the configuration of the previous command; that is, if a command enables src and dst mac validations, and a second command enables IP validation only, the src and dst mac validations are disabled as a result of the second command.

Step 4

exit

Return to privileged EXEC mode.

Step 5

show ip arp inspection bridge-domain id

Verify your settings.

Step 6

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Note

 

To disable checking, use the no ip arp inspection validate [src-mac] [dst-mac] [ip] global configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure packets, use the show ip arp inspection statistics privileged EXEC command.

Configuring the Log Buffer (optional)


Note


Log buffering is not currently supported.

When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving bridge-domain, the port number, the source and destination IP addresses, and the source and destination MAC addresses.

A log-buffer entry can represent more than one packet. For example, if an interface receives many packets on the same bridge-domain with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a single system message for the entry.

If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer or increase the logging rate.

Beginning in privileged EXEC mode, follow these steps to configure the log buffer. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. ip arp inspection log-buffer {entries number | logs number interval seconds}
  3. exit
  4. show ip arp inspection log
  5. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

ip arp inspection log-buffer {entries number | logs number interval seconds}

Configure the dynamic ARP inspection logging buffer.

By default, when dynamic ARP inspection is enabled, denied or dropped ARP packets are logged. The number of log entries is 32. The number of system messages is limited to 5 per second. The logging-rate interval is 1 second.

The keywords have these meanings:

  • For entries number, specify the number of entries to be logged in the buffer. The range is 0 to 1024.

  • For logs number interval seconds, specify the number of entries to generate system messages in the specified interval.

For logs number, the range is 0 to 1024. A 0 value means that the entry is placed in the log buffer, but a system message is not generated.

For interval seconds, the range is 0 to 86400 seconds (1 day). A 0 value means that a system message is immediately generated (and the log buffer is always empty).

An interval setting of 0 overrides a log setting of 0.

The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds.

Step 3

exit

Return to privileged EXEC mode.

Step 4

show ip arp inspection log

Verify your settings.

Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Returning to the Default Log Buffer Settings

To return to the default log buffer settings, use the no ip arp inspection log-buffer {entries | logs} global configuration command.

To clear the log buffer, use the clear ip arp inspection log privileged EXEC command.

Displaying Dynamic ARP Inspection Information

To display dynamic ARP inspection information, use the privileged EXEC commands described in table below.

Table 2. Commands for Displaying Dynamic ARP Inspection Information
Command Description
show ip arp inspection interfaces [interface-id] Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces.
show ip arp inspection bridge-domain id Displays the configuration and the operating state of dynamic ARP inspection for the specified bridge-domain. If a range is specified, displays information for bridge domains with dynamic ARP inspection enabled (active).

Clearing or Displaying Dynamic ARP Inspection Statistics

To clear or display dynamic ARP inspection statistics, use the privileged EXEC commands in table below.

For the show ip arp inspection statistics command, the switch increments the number of forwarded packets for each ARP request and response packet on a trusted dynamic ARP inspection port. The switch increments the number of DHCP permitted packets for each packet that is denied by source MAC, destination MAC, or IP validation checks, and the switch increments the appropriate failure count.

Table 3. Commands for Clearing or Displaying Dynamic ARP Inspection Statistics
Command Description
clear ip arp inspection statistics Clears dynamic ARP inspection statistics.
show ip arp inspection statistics bridge-domain id Displays statistics for forwarded, dropped, MAC validation failure, IP validation failure, and DHCP permitted and denied packets for the specified bridge domain. If no bridge-domain is specified, the router displays information only for bridge domains with dynamic ARP inspection enabled (active).

Clearing or Displaying Dynamic ARP Inspection Logging Information

To clear or display dynamic ARP inspection logging information, use the privileged EXEC commands in table below:

Table 4. Commands for Clearing or Displaying Dynamic ARP Inspection Logging Information
Command Description
clear ip arp inspection log Clears the dynamic ARP inspection log buffer.
show ip arp inspection log Displays the configuration and contents of the dynamic ARP inspection log buffer.