Concept Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

281

282

283

284

285

286

287

288

289

290

interface interface-name

3 Congure ARP packet inspection rate limiting.

INTERFACE CONFIGURATION mode

arp inspection-limit {rate pps [interval seconds]}

The rate packet per second (pps) range is from 1 to 2048. The default is 15.

The rate burst interval range is from 1 to 15 seconds. The default is 1.

Examples of viewing the ARP inspection-limit information

DellEMC# show running-config interface gigabitethernet 1/1

interface GigabitEthernet 1/1

no ip address

switchport

arp inspection-limit rate 15 interval 1

no shutdown

DellEMC#

Bypassing the ARP Inspection

You can congure a port to skip ARP inspection by dening the interface as trusted, which is useful in multi-switch environments.

ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by default.

To bypass the ARP inspection, use the following command.

• Specify an interface as trusted so that ARPs are not validated against the binding table.

INTERFACE mode

arp inspection-trust

Dynamic ARP inspection is supported on Layer 2 and Layer 3.

Source Address Validation

Using the DHCP binding table, Dell EMC Networking OS can perform three types of source address validation (SAV).

Table 17. Three Types of Source Address Validation

Source Address Validation Description

IP Source Address Validation Prevents IP spoong by forwarding only IP packets that have been

validated against the DHCP binding table.

DHCP MAC Source Address Validation Veries a DHCP packet’s source hardware address matches the

client hardware address eld (CHADDR) in the payload.

IP+MAC Source Address Validation Veries that the IP source address and MAC source address are a

legitimate pair.

Enabling IP Source Address Validation

IP source address validation (SAV) prevents IP spoong by forwarding only IP packets that have been validated against the DHCP binding

table.

A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker. For example, using ARP spoong,

an attacker can assume a legitimate client’s identity and receive trac addressed to it. Then the attacker can spoof the client’s IP address

to interact with other clients.

Dynamic Host

Conguration Protocol (DHCP) 287