General Security Measures
3-137
3
- When ARP Inspection is disabled, all ARP request and reply packets will bypass
the ARP Inspection engine and their switching behavior will match that of all
other packets.
- Disabling and then re-enabling global ARP Inspection will not affect the ARP
Inspection configuration of any VLANs.
- When ARP Inspection is disabled globally, it is still possible to configure ARP
Inspection for individual VLANs. These configuration changes will only become
active after ARP Inspection is enabled globally again.
• The ARP Inspection engine in the current firmware version does not support ARP
Inspection on trunk ports.
ARP Inspection VLAN Filters (ACLs)
• By default, no ARP Inspection ACLs are configured and the feature is disabled.
• ARP Inspection ACLs are configured within the ARP ACL configuration page (see
page 3-133).
• ARP Inspection ACLs can be applied to any configured VLAN.
• ARP Inspection uses the DHCP snooping bindings database for the list of valid
IP-to-MAC address bindings. ARP ACLs take precedence over entries in the
DHCP snooping bindings database. The switch first compares ARP packets to any
specified ARP ACLs.
• If
static
is specified, ARP packets are only validated against the selected ACL –
packets are filtered according to any matching rules, packets not matching any
rules are dropped, and the DHCP snooping bindings database check is bypassed.
• If
static
is not specified, ARP packets are first validated against the selected ACL;
if no ACL rules match the packets, then the DHCP snooping bindings database
determines their validity.
ARP Inspection Validation
• By default, ARP Inspection Validation is disabled.
• Specifying at least one of the following validations enables ARP Inspection
Validation globally. Any combination of the following checks can be active
concurrently.
- Destination MAC – Checks the destination MAC address in the Ethernet header
against the target MAC address in the ARP body. This check is performed for
ARP responses. When enabled, packets with different MAC addresses are
classified as invalid and are dropped.
- IP – Checks the ARP body for invalid and unexpected IP addresses. These
addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
Sender IP addresses are checked in all ARP requests and responses, while
target IP addresses are checked only in ARP responses.
- Source MAC – Checks the source MAC address in the Ethernet header against
the sender MAC address in the ARP body. This check is performed on both ARP
requests and responses. When enabled, packets with different MAC addresses
are classified as invalid and are dropped.
Содержание 6152PL2 FICHE
Страница 2: ......
Страница 6: ...vi ...
Страница 8: ...viii ...
Страница 32: ...Tables xxxii ...
Страница 38: ...Figures xxxviii ...
Страница 56: ...Initial Configuration 2 10 2 ...
Страница 378: ...Configuring the Switch 3 322 3 ...
Страница 651: ...Address Table Commands 4 273 4 Example Console show mac address table aging time Aging time 100 sec Console ...
Страница 817: ......
Страница 818: ...SMC6128PL2 SMC6152PL2 149100000007A R01 ...