Owner's Manual
460 | Chapter 17. Security
NETGEAR 8800 User Manual
In addition, to protect the IP addresses of the hosts that appear as secure entries in the ARP
table, use the following commands to enable DHCP snooping, DHCP secured ARP, and
gratuitous ARP on the switch:
• enable ip-security dhcp-snooping {vlan} <vlan_name> ports [all | <ports>] violation-action
[drop-packet {[block-mac | block-port] [duration <duration_in_seconds> | permanently] |
none]}] {snmp-trap}
• enable ip-security arp learning learn-from-dhcp {vlan} <vlan_name> ports [all | <ports>]
• enable ip-security arp gratuitous-protection {vlan} [all | <vlan_name>]
To disable gratuitous ARP protection, use the following command:
disable ip-security arp gratuitous-protection {vlan} [all | <vlan_name>]
Displaying Gratuitous ARP Information
To display information about gratuitous ARP, use the following command:
show ip-security arp gratuitous-protection
The following is sample output from this command:
Gratuitous ARP Protection enabled on following VLANs:
Default, test
ARP Validation
ARP validation is also linked to the “DHCP snooping” feature. The same DHCP bindings
database created when you enabled DHCP snooping is also used to validate ARP entries
arriving on the specified ports.
Validation Option ARP Request Packet Type ARP Response Packet Type
DHCP Source IP is not present in the DHCP
snooping database OR is present but Source
Hardware Address doesn't match the MAC in
the DHCP bindings entry
IP Source IP == Mcast OR
Target IP == Mcast OR
Source IP is not present in the DHCP
snooping database OR
Source IP exists in the DHCP bindings
database but Source Hardware Address
doesn't match the MAC in the DHCP
bindings entry
Source IP == Mcast OR
Target IP == Mcast
Source-MAC Ethernet source MAC does not match
the Source Hardware Address
Ethernet source MAC does not match the
Source Hardware Address.
Destination-MAC Ethernet destination MAC does not match the
Target Hardware Address