Cisco IOS DAI (Dynamic Arp Inspection)の設定

スポンサーリンク

DAIとは、arpを覗き見する事によって管理対象ではないホストの接続を拒否します。dhcp snoopingと併用し、DHCPによってアドレスが割り当てられていないホストからのarp requestを遮断する機能です。

概要

dynamic arp inspectionについてまとめます。dynamic arp inspectionはdhcp snoopingと併用される事が多いですが、dhcp snoopingの説明は省略します。詳細は以下のconfiguration guideを参照下さい。

  • http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_58_se/configuration/guide/swdynarp.html

コマンド一覧

このシナリオで重要なコマンド一覧は以下の通りです。

Router(config)# arp access-list <acl_name>
Router(config-arp-nacl)# permit ip host <ip_addr> mac host <mac_addr>

Router(config)# ip arp inspection vlan <id>
Router(config)# ip arp inspection log-buffer entries <num>
Router(config)# ip arp inspection log-buffer logs <num> interval <sec>
Router(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]} 
Router(config)# ip arp inspection filter <acl_name> vlan <id> [ static ]

Router(config)# interface <interface>
Router(config-if)# ip arp inspection trust
Router(config-if)# ip arp inspection limit { rate <pps> [burst interval <sec> ] | none } 

構成図

下記構成で動作確認を行います。mac addressとIPアドレスの対応を見やすくするために、敢えてMac addressをハードコーディングします。

 DCHP Server f0/0                        f0/13 DHCP Client
     +--------+.1    f0/1+------+f0/13   .8+--------+
     |   R1   +----------+      +----------+   SW2 | 
     +--------+          |      |          +--------+
             f0/0        |      |        f0/13 DHCP Client
     +--------+.3    f0/3|      |f0/16   .9+--------+
     |   R3   +----------+  SW1 +----------+   SW3 | 
     +--------+          |      |          +--------+
             f0/0        |      |        f0/13
     +--------+.5   f0/5 |      |f0/19  .10+--------+
     |   R5   +----------+      +----------+   SW4 | 
     +--------+          +------+          +--------+

               192.168.100.0/24 VLAN_100
 [R1]
ip dhcp excluded-address 192.168.100.1 192.168.100.7
ip dhcp excluded-address 192.168.100.10 192.168.100.254
!
ip dhcp pool VLAN100
   network 192.168.100.0 255.255.255.0
!
interface FastEthernet0/0
 mac-address 0000.0000.0001
 ip dhcp relay information trusted
 ip address 192.168.100.1 255.255.255.0

 [R3]
interface FastEthernet0/0
 mac-address 0000.0000.0003
 ip address 192.168.100.3 255.255.255.0

 [R5]
interface FastEthernet0/0
 mac-address 0000.0000.0005
 ip address 192.168.100.5 255.255.255.0

 [SW1]
ip dhcp snooping vlan 100
ip dhcp snooping database flash:dhcp.dat
ip dhcp snooping

 [SW2]
interface FastEthernet0/13
 no switchport
 ip address dhcp

 [SW3]
interface FastEthernet0/13
 no switchport
 ip address dhcp

 [SW4]
interface FastEthernet0/13
 no switchport
 ip address 192.168.100.10 255.255.255.0

設定全文は下記ファイルです。詳細設定は下記を参照ください。

R1
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.7
ip dhcp excluded-address 192.168.100.10 192.168.100.254
!
ip dhcp pool VLAN100
   network 192.168.100.0 255.255.255.0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 mac-address 0000.0000.0001
 ip dhcp relay information trusted
 ip address 192.168.100.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface Serial0/1
 no ip address
 shutdown
!
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 logging synchronous level 0 limit 20
line aux 0
line vty 0 4
 login
!
!
end
R3
!
! Last configuration change at 03:56:43 UTC Thu May 2 2013
! NVRAM config last updated at 03:34:36 UTC Thu May 2 2013
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 mac-address 0000.0000.0003
 ip address 192.168.100.3 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0
 no ip address
 shutdown
!
interface Serial1/1
 no ip address
 shutdown
!
interface Serial1/2
 no ip address
 shutdown
!
interface Serial1/3
 no ip address
 shutdown
!
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 logging synchronous level 0 limit 20
line aux 0
line vty 0 4
!
!
end
R5
!
! Last configuration change at 03:39:11 UTC Thu May 2 2013
! NVRAM config last updated at 02:46:16 UTC Thu May 2 2013
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
warm-reboot
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 mac-address 0000.0000.0005
 ip address 192.168.100.5 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
!
interface Serial0/1/0
 no ip address
 shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 logging synchronous level 0 limit 20
line aux 0
line vty 0 4
 login
!
scheduler allocate 20000 1000
end
SW1
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
ip dhcp snooping vlan 100
ip dhcp snooping database flash:dhcp.dat
ip dhcp snooping
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0/1
 switchport access vlan 100
 switchport mode access
 spanning-tree portfast
 ip dhcp snooping trust
!
interface FastEthernet0/2
 shutdown
!
interface FastEthernet0/3
 switchport access vlan 100
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/4
 shutdown
!
interface FastEthernet0/5
 switchport access vlan 100
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/6
 shutdown
!
interface FastEthernet0/7
 shutdown
!
interface FastEthernet0/8
 shutdown
!
interface FastEthernet0/9
 shutdown
!
interface FastEthernet0/10
 shutdown
!
interface FastEthernet0/11
 shutdown
!
interface FastEthernet0/12
 shutdown
!
interface FastEthernet0/13
 switchport access vlan 100
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/14
 shutdown
!
interface FastEthernet0/15
 shutdown
!
interface FastEthernet0/16
 switchport access vlan 100
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/17
 shutdown
!
interface FastEthernet0/18
 shutdown
!
interface FastEthernet0/19
 switchport access vlan 100
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/20
 shutdown
!
interface FastEthernet0/21
 shutdown
!
interface FastEthernet0/22
 shutdown
!
interface FastEthernet0/23
 shutdown
!
interface FastEthernet0/24
 shutdown
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
 logging synchronous level 0 limit 20
line vty 0 4
 login
line vty 5 15
 login
!
end
SW2
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
 no switchport
 ip address dhcp
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
 logging synchronous level 0 limit 20
line vty 0 4
 login
line vty 5 15
 login
!
end
SW3
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW3
!
!
no aaa new-model
ip subnet-zero
!
vtp file vlan.dat
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0/1
 switchport mode dynamic desirable
!
interface FastEthernet0/2
 switchport mode dynamic desirable
!
interface FastEthernet0/3
 switchport mode dynamic desirable
!
interface FastEthernet0/4
 switchport mode dynamic desirable
!
interface FastEthernet0/5
 switchport mode dynamic desirable
!
interface FastEthernet0/6
 switchport mode dynamic desirable
!
interface FastEthernet0/7
 switchport mode dynamic desirable
!
interface FastEthernet0/8
 switchport mode dynamic desirable
!
interface FastEthernet0/9
 switchport mode dynamic desirable
!
interface FastEthernet0/10
 switchport mode dynamic desirable
!
interface FastEthernet0/11
 switchport mode dynamic desirable
!
interface FastEthernet0/12
 switchport mode dynamic desirable
!
interface FastEthernet0/13
 no switchport
 ip address dhcp
!
interface FastEthernet0/14
 switchport mode dynamic desirable
!
interface FastEthernet0/15
 switchport mode dynamic desirable
!
interface FastEthernet0/16
 switchport mode dynamic desirable
!
interface FastEthernet0/17
 switchport mode dynamic desirable
!
interface FastEthernet0/18
 switchport mode dynamic desirable
!
interface FastEthernet0/19
 switchport mode dynamic desirable
!
interface FastEthernet0/20
 switchport mode dynamic desirable
!
interface FastEthernet0/21
 switchport mode dynamic desirable
!
interface FastEthernet0/22
 switchport mode dynamic desirable
!
interface FastEthernet0/23
 switchport mode dynamic desirable
!
interface FastEthernet0/24
 switchport mode dynamic desirable
!
interface GigabitEthernet0/1
 switchport mode dynamic desirable
!
interface GigabitEthernet0/2
 switchport mode dynamic desirable
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
 logging synchronous level 0 limit 20
line vty 0 4
 login
line vty 5 15
 login
!
end
SW4
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW4
!
!
no aaa new-model
ip subnet-zero
!
vtp file vlan.dat
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0/1
 switchport mode dynamic desirable
!
interface FastEthernet0/2
 switchport mode dynamic desirable
!
interface FastEthernet0/3
 switchport mode dynamic desirable
!
interface FastEthernet0/4
 switchport mode dynamic desirable
!
interface FastEthernet0/5
 switchport mode dynamic desirable
!
interface FastEthernet0/6
 switchport mode dynamic desirable
!
interface FastEthernet0/7
 switchport mode dynamic desirable
!
interface FastEthernet0/8
 switchport mode dynamic desirable
!
interface FastEthernet0/9
 switchport mode dynamic desirable
!
interface FastEthernet0/10
 switchport mode dynamic desirable
!
interface FastEthernet0/11
 switchport mode dynamic desirable
!
interface FastEthernet0/12
 switchport mode dynamic desirable
!
interface FastEthernet0/13
 no switchport
 ip address 192.168.100.10 255.255.255.0
!
interface FastEthernet0/14
 switchport mode dynamic desirable
!
interface FastEthernet0/15
 switchport mode dynamic desirable
!
interface FastEthernet0/16
 switchport mode dynamic desirable
!
interface FastEthernet0/17
 switchport mode dynamic desirable
!
interface FastEthernet0/18
 switchport mode dynamic desirable
!
interface FastEthernet0/19
 switchport mode dynamic desirable
!
interface FastEthernet0/20
 switchport mode dynamic desirable
!
interface FastEthernet0/21
 switchport mode dynamic desirable
!
interface FastEthernet0/22
 switchport mode dynamic desirable
!
interface FastEthernet0/23
 switchport mode dynamic desirable
!
interface FastEthernet0/24
 switchport mode dynamic desirable
!
interface GigabitEthernet0/1
 switchport mode dynamic desirable
!
interface GigabitEthernet0/2
 switchport mode dynamic desirable
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
 logging synchronous level 0 limit 20
line vty 0 4
 login
line vty 5 15
 login
!
end

仕様説明

最小限設定

dynamic arp inspectionの最低限の設定は以下の通りです。この設定によりarp responseとsnooping databaseのマッチング処理を行うようになります。なお、デフォルトの状態ではarp requestは制御対象外です。

Router(config)# ip arp inspection vlan <id>

trust interface

以下のコマンドにより、interfaceを無条件で信頼し、arp responseのチェックを行わないようにする事ができます。ポートの接続先がサーバ類である場合に使用する設定です。

Router(config)# interface <interface>
Router(config-if)# ip arp inspection trust

static entry

以下のようなstatic entryを定義する事によって、snooping databaseに定義されていないホストとの疎通が可能になります。このような設定を行うと、まずarp access-listにエントリが存在するかどうかをチェックし、もしaccess-listに合致しなかった場合はsnooping databaseにエントリが存在するかどうかをチェックします。

Router(config)# arp access-list <acl_name>
Router(config-arp-nacl)# permit ip host <ip_addr> mac host <mac_addr>

Router(config)# ip arp inspection filter <acl_name> vlan <id>

static arp inspection

以下のようにstaticキーワードを用いた設定を行うと、snooping databaseは使用せず、arp access-listにのみ基づくチェックを行うようになります。

Router(config)# arp access-list <acl_name>
Router(config-arp-nacl)# permit ip host <ip_addr> mac host <mac_addr>

Router(config)# ip arp inspection filter <acl_name> vlan <id> static

arp rate limit

arp inspectionを有効にしている場合、arp requestによるDoS攻撃が可能になってしまいます。そこで、arp inspectionが有効になっている場合は、デフォルトでARP packetのrate limitがかかっています。デフォルトの状態で、秒間15個以上のARP packetを受信するとerror disableの状態になります。もし、この閾値を変更したい場合は以下のコマンドを使用します。

Router(config)# interface <interface>
Router(config-if)# ip arp inspection limit { rate <pps> [burst interval <sec> ] | none } 

log tuning

arp inspectionはdropしたarp responseを以下のようにログ出力します。

SW1#
*Mar  1 02:49:47.259: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/5, vlan 100.([0000.0000.0005/192.168.100.5/0000.0000.0000/192.168.100.8/02:49:46 UTC Mon Mar 1 1993])
*Mar  1 02:49:47.259: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Res) on Fa0/13, vlan 100.([0019.2f45.ec41/192.168.100.8/0000.0000.0003/192.168.100.3/02:49:46 UTC Mon Mar 1 1993])
SW1#

全てのログ出力すると、ログ出力がボトルネックとなってしまいパフォーマンス劣化を招いてしまいます。そこで以下のコマンドで、バッファに溜め込むログのエントリ数とシステムメッセージに生成される速さを定義できます。デフォルトでは、最大32までログをバッファに溜め込み、1秒間隔で5つのシステムメッセージを生成します。

Router(config)# ip arp inspection log-buffer entries <num>
Router(config)# ip arp inspection log-buffer logs <num> interval <sec>

arp request validation

デフォルトの状態で、dynamic arp inspectionがチェックするのはarp responseのみです。しかし、以下のコマンドを使用するとarp requestも含めてチェックする事ができるようになります。それぞれのチェック項目の意味は以下の通りです。

param description
src-mac check the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
dst-mac check the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
ip check the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses.
Router(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]} 

最小設定

設定投入

arp inspectionの最小限の設定を行います。

 [SW1]
ip arp inspection vlan 100

動作確認

SW2が疎通可能なホストを確認します。SW2が疎通可能なホストはSW3のみである事が分かります。

 [SW2]
SW2#clear arp-cache
SW2#
SW2#
SW2#ping 192.168.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
SW2#
SW2#
SW2#ping 192.168.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.3, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
SW2#
SW2#
SW2#ping 192.168.100.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/203/1007 ms
SW2#

最小限の設定の状態で疎通可能なのはDCHP Clientのみです。DHCP snoopingが記録するのはDHCP discoveryですので、DHCP Serverに関するMACアドレスとIPアドレスの紐付けはsnooping database上には存在しません。念のため、以下のコマンドでSW1のsnooping databaseも確認しておきましょう。

 [SW1]
SW1#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:19:2F:45:EC:41   192.168.100.8    83392       dhcp-snooping   100   FastEthernet0/13
00:0A:B7:DC:9B:00   192.168.100.9    84322       dhcp-snooping   100   FastEthernet0/16
Total number of bindings: 2

SW1#

trust interface

設定投入

DHCP Server R1が接続されたf0/1を無条件で信頼するように以下のコマンドを投入します。

 [SW1]
interface FastEthernet0/1
 ip arp inspection trust

動作確認

R1に疎通可能になった事を確認します。

 [SW2]
SW2#ping 192.168.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
SW2#

static entry

設定投入

R3に関するstatic entryを追加します。

 [SW1]
arp access-list ARP_LIST
 permit ip host 192.168.100.3 mac host 0.0.3
!
ip arp inspection filter ARP_LIST vlan 100

動作確認

R3に疎通可能になった事を確認します。

 [SW2]
SW2#ping 192.168.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/203/1006 ms
SW2#

static arp inspection

設定投入

snooping databaseは使用せず、arp access-listに基づくチェックを行うようにします。

 [SW1]
ip arp inspection filter ARP_LIST vlan 100 static

動作確認

trust interfaceであるR1と、arp access-listで定義されたR3のみが互いに疎通可能な状態である事を確認します。

 [R3]
R3#ping 192.168.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3#
R3#
R3#ping 192.168.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#
R3#
R3#ping 192.168.100.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#

arp rate limit

設定投入

R3に接続されたポートについて、arpのrate limitを変更します。

 [SW1]
interface FastEthernet0/3
 ip arp inspection limit rate 20

動作確認

大量のARPを再現させるのは難しいので、showコマンドによる確認のみとします。

 [SW1]
SW1#show ip arp inspection interfaces

 Interface        Trust State     Rate (pps)    Burst Interval
 ---------------  -----------     ----------    --------------
 Fa0/1            Trusted               None               N/A
 Fa0/2            Untrusted               15                 1
 Fa0/3            Untrusted               20                 1
 Fa0/4            Untrusted               15                 1
 Fa0/5            Untrusted               15                 1
 Fa0/6            Untrusted               15                 1

 <omitted>

SW1#

log tuning

設定投入

デフォルトの状態よりも多くのログを出力できるようにします。

 [SW1]
ip arp inspection log-buffer entries 20
ip arp inspection log-buffer logs 7 interval 1

動作確認

showコマンドにより設定を確認します。

 [SW1]
SW1#show ip arp inspection log
Total Log Buffer Size : 20
Syslog rate : 7 entries per 1 seconds.

No entries in log buffer.
SW1#

arp request validation

設定投入

arp requestも含めたvalidationを行うようにします。

 [SW1]
ip arp inspection validate src-mac dst-mac ip

動作確認

showコマンドにより設定を確認します。

 [SW1]
SW1#show ip arp inspection

Source Mac Validation      : Enabled
Destination Mac Validation : Enabled
IP Address Validation      : Enabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
  100     Enabled          Active      ARP_LIST           Yes

 Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
  100     Deny             Deny              Off

 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
  100             90             82             40             42

 Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
 ----   ------------    -----------  -------------   -------------------
  100             48             37              0                     0

 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
  100                   0                        0                       0
SW1#
タイトルとURLをコピーしました