DAIとは、arpを覗き見する事によって管理対象ではないホストの接続を拒否します。dhcp snoopingと併用し、DHCPによってアドレスが割り当てられていないホストからのarp requestを遮断する機能です。
概要
dynamic arp inspectionについてまとめます。dynamic arp inspectionはdhcp snoopingと併用される事が多いですが、dhcp snoopingの説明は省略します。詳細は以下のconfiguration guideを参照下さい。
- http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_58_se/configuration/guide/swdynarp.html
コマンド一覧
このシナリオで重要なコマンド一覧は以下の通りです。
Router(config)# arp access-list <acl_name>
Router(config-arp-nacl)# permit ip host <ip_addr> mac host <mac_addr>
Router(config)# ip arp inspection vlan <id>
Router(config)# ip arp inspection log-buffer entries <num>
Router(config)# ip arp inspection log-buffer logs <num> interval <sec>
Router(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]}
Router(config)# ip arp inspection filter <acl_name> vlan <id> [ static ]
Router(config)# interface <interface>
Router(config-if)# ip arp inspection trust
Router(config-if)# ip arp inspection limit { rate <pps> [burst interval <sec> ] | none }
構成図
下記構成で動作確認を行います。mac addressとIPアドレスの対応を見やすくするために、敢えてMac addressをハードコーディングします。
DCHP Server f0/0 f0/13 DHCP Client
+--------+.1 f0/1+------+f0/13 .8+--------+
| R1 +----------+ +----------+ SW2 |
+--------+ | | +--------+
f0/0 | | f0/13 DHCP Client
+--------+.3 f0/3| |f0/16 .9+--------+
| R3 +----------+ SW1 +----------+ SW3 |
+--------+ | | +--------+
f0/0 | | f0/13
+--------+.5 f0/5 | |f0/19 .10+--------+
| R5 +----------+ +----------+ SW4 |
+--------+ +------+ +--------+
192.168.100.0/24 VLAN_100
[R1]
ip dhcp excluded-address 192.168.100.1 192.168.100.7
ip dhcp excluded-address 192.168.100.10 192.168.100.254
!
ip dhcp pool VLAN100
network 192.168.100.0 255.255.255.0
!
interface FastEthernet0/0
mac-address 0000.0000.0001
ip dhcp relay information trusted
ip address 192.168.100.1 255.255.255.0
[R3]
interface FastEthernet0/0
mac-address 0000.0000.0003
ip address 192.168.100.3 255.255.255.0
[R5]
interface FastEthernet0/0
mac-address 0000.0000.0005
ip address 192.168.100.5 255.255.255.0
[SW1]
ip dhcp snooping vlan 100
ip dhcp snooping database flash:dhcp.dat
ip dhcp snooping
[SW2]
interface FastEthernet0/13
no switchport
ip address dhcp
[SW3]
interface FastEthernet0/13
no switchport
ip address dhcp
[SW4]
interface FastEthernet0/13
no switchport
ip address 192.168.100.10 255.255.255.0
設定全文は下記ファイルです。詳細設定は下記を参照ください。
R1
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.7
ip dhcp excluded-address 192.168.100.10 192.168.100.254
!
ip dhcp pool VLAN100
network 192.168.100.0 255.255.255.0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
mac-address 0000.0000.0001
ip dhcp relay information trusted
ip address 192.168.100.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface Serial0/1
no ip address
shutdown
!
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous level 0 limit 20
line aux 0
line vty 0 4
login
!
!
end
R3
!
! Last configuration change at 03:56:43 UTC Thu May 2 2013
! NVRAM config last updated at 03:34:36 UTC Thu May 2 2013
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
mac-address 0000.0000.0003
ip address 192.168.100.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous level 0 limit 20
line aux 0
line vty 0 4
!
!
end
R5
!
! Last configuration change at 03:39:11 UTC Thu May 2 2013
! NVRAM config last updated at 02:46:16 UTC Thu May 2 2013
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
warm-reboot
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
mac-address 0000.0000.0005
ip address 192.168.100.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous level 0 limit 20
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
SW1
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
ip dhcp snooping vlan 100
ip dhcp snooping database flash:dhcp.dat
ip dhcp snooping
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
spanning-tree portfast
ip dhcp snooping trust
!
interface FastEthernet0/2
shutdown
!
interface FastEthernet0/3
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/4
shutdown
!
interface FastEthernet0/5
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/6
shutdown
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!
interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/17
shutdown
!
interface FastEthernet0/18
shutdown
!
interface FastEthernet0/19
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
shutdown
!
interface FastEthernet0/24
shutdown
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
logging synchronous level 0 limit 20
line vty 0 4
login
line vty 5 15
login
!
end
SW2
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
no switchport
ip address dhcp
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
logging synchronous level 0 limit 20
line vty 0 4
login
line vty 5 15
login
!
end
SW3
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW3
!
!
no aaa new-model
ip subnet-zero
!
vtp file vlan.dat
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0/1
switchport mode dynamic desirable
!
interface FastEthernet0/2
switchport mode dynamic desirable
!
interface FastEthernet0/3
switchport mode dynamic desirable
!
interface FastEthernet0/4
switchport mode dynamic desirable
!
interface FastEthernet0/5
switchport mode dynamic desirable
!
interface FastEthernet0/6
switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!
interface FastEthernet0/10
switchport mode dynamic desirable
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!
interface FastEthernet0/13
no switchport
ip address dhcp
!
interface FastEthernet0/14
switchport mode dynamic desirable
!
interface FastEthernet0/15
switchport mode dynamic desirable
!
interface FastEthernet0/16
switchport mode dynamic desirable
!
interface FastEthernet0/17
switchport mode dynamic desirable
!
interface FastEthernet0/18
switchport mode dynamic desirable
!
interface FastEthernet0/19
switchport mode dynamic desirable
!
interface FastEthernet0/20
switchport mode dynamic desirable
!
interface FastEthernet0/21
switchport mode dynamic desirable
!
interface FastEthernet0/22
switchport mode dynamic desirable
!
interface FastEthernet0/23
switchport mode dynamic desirable
!
interface FastEthernet0/24
switchport mode dynamic desirable
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
logging synchronous level 0 limit 20
line vty 0 4
login
line vty 5 15
login
!
end
SW4
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW4
!
!
no aaa new-model
ip subnet-zero
!
vtp file vlan.dat
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0/1
switchport mode dynamic desirable
!
interface FastEthernet0/2
switchport mode dynamic desirable
!
interface FastEthernet0/3
switchport mode dynamic desirable
!
interface FastEthernet0/4
switchport mode dynamic desirable
!
interface FastEthernet0/5
switchport mode dynamic desirable
!
interface FastEthernet0/6
switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!
interface FastEthernet0/10
switchport mode dynamic desirable
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!
interface FastEthernet0/13
no switchport
ip address 192.168.100.10 255.255.255.0
!
interface FastEthernet0/14
switchport mode dynamic desirable
!
interface FastEthernet0/15
switchport mode dynamic desirable
!
interface FastEthernet0/16
switchport mode dynamic desirable
!
interface FastEthernet0/17
switchport mode dynamic desirable
!
interface FastEthernet0/18
switchport mode dynamic desirable
!
interface FastEthernet0/19
switchport mode dynamic desirable
!
interface FastEthernet0/20
switchport mode dynamic desirable
!
interface FastEthernet0/21
switchport mode dynamic desirable
!
interface FastEthernet0/22
switchport mode dynamic desirable
!
interface FastEthernet0/23
switchport mode dynamic desirable
!
interface FastEthernet0/24
switchport mode dynamic desirable
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
logging synchronous level 0 limit 20
line vty 0 4
login
line vty 5 15
login
!
end
仕様説明
最小限設定
dynamic arp inspectionの最低限の設定は以下の通りです。この設定によりarp responseとsnooping databaseのマッチング処理を行うようになります。なお、デフォルトの状態ではarp requestは制御対象外です。
Router(config)# ip arp inspection vlan <id>
trust interface
以下のコマンドにより、interfaceを無条件で信頼し、arp responseのチェックを行わないようにする事ができます。ポートの接続先がサーバ類である場合に使用する設定です。
Router(config)# interface <interface>
Router(config-if)# ip arp inspection trust
static entry
以下のようなstatic entryを定義する事によって、snooping databaseに定義されていないホストとの疎通が可能になります。このような設定を行うと、まずarp access-listにエントリが存在するかどうかをチェックし、もしaccess-listに合致しなかった場合はsnooping databaseにエントリが存在するかどうかをチェックします。
Router(config)# arp access-list <acl_name>
Router(config-arp-nacl)# permit ip host <ip_addr> mac host <mac_addr>
Router(config)# ip arp inspection filter <acl_name> vlan <id>
static arp inspection
以下のようにstaticキーワードを用いた設定を行うと、snooping databaseは使用せず、arp access-listにのみ基づくチェックを行うようになります。
Router(config)# arp access-list <acl_name>
Router(config-arp-nacl)# permit ip host <ip_addr> mac host <mac_addr>
Router(config)# ip arp inspection filter <acl_name> vlan <id> static
arp rate limit
arp inspectionを有効にしている場合、arp requestによるDoS攻撃が可能になってしまいます。そこで、arp inspectionが有効になっている場合は、デフォルトでARP packetのrate limitがかかっています。デフォルトの状態で、秒間15個以上のARP packetを受信するとerror disableの状態になります。もし、この閾値を変更したい場合は以下のコマンドを使用します。
Router(config)# interface <interface>
Router(config-if)# ip arp inspection limit { rate <pps> [burst interval <sec> ] | none }
log tuning
arp inspectionはdropしたarp responseを以下のようにログ出力します。
SW1#
*Mar 1 02:49:47.259: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/5, vlan 100.([0000.0000.0005/192.168.100.5/0000.0000.0000/192.168.100.8/02:49:46 UTC Mon Mar 1 1993])
*Mar 1 02:49:47.259: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Res) on Fa0/13, vlan 100.([0019.2f45.ec41/192.168.100.8/0000.0000.0003/192.168.100.3/02:49:46 UTC Mon Mar 1 1993])
SW1#
全てのログ出力すると、ログ出力がボトルネックとなってしまいパフォーマンス劣化を招いてしまいます。そこで以下のコマンドで、バッファに溜め込むログのエントリ数とシステムメッセージに生成される速さを定義できます。デフォルトでは、最大32までログをバッファに溜め込み、1秒間隔で5つのシステムメッセージを生成します。
Router(config)# ip arp inspection log-buffer entries <num>
Router(config)# ip arp inspection log-buffer logs <num> interval <sec>
arp request validation
デフォルトの状態で、dynamic arp inspectionがチェックするのはarp responseのみです。しかし、以下のコマンドを使用するとarp requestも含めてチェックする事ができるようになります。それぞれのチェック項目の意味は以下の通りです。
| param |
description |
| src-mac |
check the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped. |
| dst-mac |
check the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped. |
| ip |
check the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses. |
Router(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]}
最小設定
設定投入
arp inspectionの最小限の設定を行います。
[SW1]
ip arp inspection vlan 100
動作確認
SW2が疎通可能なホストを確認します。SW2が疎通可能なホストはSW3のみである事が分かります。
[SW2]
SW2#clear arp-cache
SW2#
SW2#
SW2#ping 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
SW2#
SW2#
SW2#ping 192.168.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.3, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
SW2#
SW2#
SW2#ping 192.168.100.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/203/1007 ms
SW2#
最小限の設定の状態で疎通可能なのはDCHP Clientのみです。DHCP snoopingが記録するのはDHCP discoveryですので、DHCP Serverに関するMACアドレスとIPアドレスの紐付けはsnooping database上には存在しません。念のため、以下のコマンドでSW1のsnooping databaseも確認しておきましょう。
[SW1]
SW1#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:19:2F:45:EC:41 192.168.100.8 83392 dhcp-snooping 100 FastEthernet0/13
00:0A:B7:DC:9B:00 192.168.100.9 84322 dhcp-snooping 100 FastEthernet0/16
Total number of bindings: 2
SW1#
trust interface
設定投入
DHCP Server R1が接続されたf0/1を無条件で信頼するように以下のコマンドを投入します。
[SW1]
interface FastEthernet0/1
ip arp inspection trust
動作確認
R1に疎通可能になった事を確認します。
[SW2]
SW2#ping 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
SW2#
static entry
設定投入
R3に関するstatic entryを追加します。
[SW1]
arp access-list ARP_LIST
permit ip host 192.168.100.3 mac host 0.0.3
!
ip arp inspection filter ARP_LIST vlan 100
動作確認
R3に疎通可能になった事を確認します。
[SW2]
SW2#ping 192.168.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/203/1006 ms
SW2#
static arp inspection
設定投入
snooping databaseは使用せず、arp access-listに基づくチェックを行うようにします。
[SW1]
ip arp inspection filter ARP_LIST vlan 100 static
動作確認
trust interfaceであるR1と、arp access-listで定義されたR3のみが互いに疎通可能な状態である事を確認します。
[R3]
R3#ping 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3#
R3#
R3#ping 192.168.100.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#
R3#
R3#ping 192.168.100.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#
arp rate limit
設定投入
R3に接続されたポートについて、arpのrate limitを変更します。
[SW1]
interface FastEthernet0/3
ip arp inspection limit rate 20
動作確認
大量のARPを再現させるのは難しいので、showコマンドによる確認のみとします。
[SW1]
SW1#show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Fa0/1 Trusted None N/A
Fa0/2 Untrusted 15 1
Fa0/3 Untrusted 20 1
Fa0/4 Untrusted 15 1
Fa0/5 Untrusted 15 1
Fa0/6 Untrusted 15 1
<omitted>
SW1#
log tuning
設定投入
デフォルトの状態よりも多くのログを出力できるようにします。
[SW1]
ip arp inspection log-buffer entries 20
ip arp inspection log-buffer logs 7 interval 1
動作確認
showコマンドにより設定を確認します。
[SW1]
SW1#show ip arp inspection log
Total Log Buffer Size : 20
Syslog rate : 7 entries per 1 seconds.
No entries in log buffer.
SW1#
arp request validation
設定投入
arp requestも含めたvalidationを行うようにします。
[SW1]
ip arp inspection validate src-mac dst-mac ip
動作確認
showコマンドにより設定を確認します。
[SW1]
SW1#show ip arp inspection
Source Mac Validation : Enabled
Destination Mac Validation : Enabled
IP Address Validation : Enabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
100 Enabled Active ARP_LIST Yes
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
100 Deny Deny Off
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
100 90 82 40 42
Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
---- ------------ ----------- ------------- -------------------
100 48 37 0 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
100 0 0 0
SW1#
