Optional Checks

  • dst-mac - Enables validation of the destination MAC address in the Ethernet header against the target MAC address in the ARP body for ARP responses. The device classifies packets with different MAC addresses as invalid and drops them.

  • ip - Enables validation of the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. The device checks the sender IP addresses in all ARP requests and responses and check the target IP addresses only in ARP responses.

  • src-mac - Enables validation of the source MAC address in the Ethernet header against the sender MAC address in the ARP body for ARP requests and responses. The devices classifies packets with different MAC addresses as invalid and drops them.

These checks are done in addition to the standard DAI check (sender MAC/IP).

If configured, an ARP message must pass all of the checks to be considered valid.

You must enter all of the validation checks you want in a single command.

PreviousConfigurationsNextARP ACLs

Last updated