ARP
Address Resolution Protocol (ARP) is a fundamental Layer 2 protocol that maps IP addresses to MAC addresses within local network segments, enabling communication between devices on the same subnet. It maintains an ARP table (cache) of IP-to-MAC address mappings and includes security features like ARP inspection to prevent ARP spoofing attacks. Additional ARP features include configurable timeouts, proxy ARP for inter-subnet communication, and inspection filters to enhance network security and performance.
Diagram
Classes
configuration (iosxe.devices)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| arp | Class | [arp] | No |
arp (iosxe.devices.configuration)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| incomplete_entries | Integer | min: 1, max: 2147483647 | No | |
| proxy_disable | Boolean | true, false | No | |
| entry_learn | Integer | min: 255, max: 512000 | No | |
| inspection_filters | List | [inspection_filters] | No | |
| inspection_validate_src_mac | Boolean | true, false | No | |
| inspection_validate_dst_mac | Boolean | true, false | No | |
| inspection_validate_ip | Boolean | true, false | No | |
| inspection_validate_allow_zeros | Boolean | true, false | No | |
| inspection_log_buffer_entries | Integer | min: 0, max: 1024 | No | |
| inspection_log_buffer_logs_entries | Integer | min: 0, max: 1024 | No | |
| inspection_log_buffer_logs_interval | Integer | min: 0, max: 86400 | No | |
| inspection_vlan | String | No |
inspection_filters (iosxe.devices.configuration.arp)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| vlans | List | [vlans] | No |
vlans (iosxe.devices.configuration.arp.inspection_filters)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| vlan_range | String | Yes | ||
| static | Boolean | true, false | No |
By configuring ARP parameters, including inspection, validation, and filters, network administrators can enhance network security, prevent spoofing attacks, and ensure efficient address resolution. These configurations are crucial for maintaining the integrity of local network segments.
ARP Parameters:
- Incomplete Entries Timeout
- Proxy ARP Disable
- Entry Learn Limit
- Inspection Validate Source MAC
- Inspection Validate Destination MAC
- Inspection Validate IP
- Inspection Validate Allow Zeros
- Inspection Log Buffer Entries
- Inspection Log Buffer Logs Entries
- Inspection Log Buffer Logs Interval
- Inspection VLANs (Deprecated, use Filters)
- Inspection Filters (Name, VLAN Range, Static/Dynamic)
You can use these ARP parameters to define precise address resolution behavior and security policies for your network devices. Customize the timeouts, validation rules, and inspection filters to fit your network’s security and operational needs. Adjusting these parameters lets you tailor ARP control for your environment.
Sample Configuration:
The following configuration describes how to set up ARP inspection and related parameters on an IOS-XE device. It lists how to define validation rules, logging, and inspection filters.
ip arp inspection vlan 10,20-30ip arp inspection validate src-mac dst-mac ipip arp inspection log-buffer entries 512ip arp inspection log-buffer logs 100 interval 300ip arp inspection filter TRUSTED_HOSTS vlan 20-30ip arp inspection filter TRUSTED_HOSTS vlan 10 staticip arp inspection filter GUEST_NETWORK vlan 100-110Example Code:
iosxe: devices: - name: Device1 configuration: arp: incomplete_entries: 1000 proxy_disable: false entry_learn: 8000 inspection_validate_src_mac: true inspection_validate_dst_mac: true inspection_validate_ip: true inspection_validate_allow_zeros: false inspection_log_buffer_entries: 512 inspection_log_buffer_logs_entries: 100 inspection_log_buffer_logs_interval: 300 inspection_vlan: "10,20-30" inspection_filters: - name: TRUSTED_HOSTS vlans: - vlan_range: "10" static: true - vlan_range: "20-30" static: false - name: GUEST_NETWORK vlans: - vlan_range: "100-110"