ARP

Address Resolution Protocol (ARP) is a fundamental Layer 2 protocol that maps IP addresses to MAC addresses within local network segments, enabling communication between devices on the same subnet. It maintains an ARP table (cache) of IP-to-MAC address mappings and includes security features like ARP inspection to prevent ARP spoofing attacks. Additional ARP features include configurable timeouts, proxy ARP for inter-subnet communication, and inspection filters to enhance network security and performance.

By configuring ARP parameters, including inspection, validation, and filters, network administrators can enhance network security, prevent spoofing attacks, and ensure efficient address resolution. These configurations are crucial for maintaining the integrity of local network segments.

• Incomplete Entries Timeout
• Proxy ARP Disable
• Entry Learn Limit
• Inspection Validate Source MAC
• Inspection Validate Destination MAC
• Inspection Validate IP
• Inspection Validate Allow Zeros
• Inspection Log Buffer Entries
• Inspection Log Buffer Logs Entries
• Inspection Log Buffer Logs Interval
• Inspection VLANs (Deprecated, use Filters)
• Inspection Filters (Name, VLAN Range, Static/Dynamic)

You can use these ARP parameters to define precise address resolution behavior and security policies for your network devices. Customize the timeouts, validation rules, and inspection filters to fit your network’s security and operational needs. Adjusting these parameters lets you tailor ARP control for your environment.

The following configuration describes how to set up ARP inspection and related parameters on an IOS-XE device. It lists how to define validation rules, logging, and inspection filters.

ip arp inspection vlan 10,20-30
ip arp inspection validate src-mac dst-mac ip
ip arp inspection log-buffer entries 512
ip arp inspection log-buffer logs 100 interval 300
ip arp inspection filter TRUSTED_HOSTS vlan  20-30
ip arp inspection filter TRUSTED_HOSTS vlan  10 static
ip arp inspection filter GUEST_NETWORK vlan  100-110

iosxe:
  devices:
    - name: Device1
      configuration:
        arp:
          incomplete_entries: 1000
          proxy_disable: false
          entry_learn: 8000
          inspection_validate_src_mac: true
          inspection_validate_dst_mac: true
          inspection_validate_ip: true
          inspection_validate_allow_zeros: false
          inspection_log_buffer_entries: 512
          inspection_log_buffer_logs_entries: 100
          inspection_log_buffer_logs_interval: 300
          inspection_vlan: "10,20-30"
          inspection_filters:
            - name: TRUSTED_HOSTS
              vlans:
                - ids: [10, 50]
                  ranges:
                    - from: 20
                      to: 30
                  static: true
                - ids: [60]
                  static: false
            - name: GUEST_NETWORK
              vlans:
                - ids: [100, 105]
                  ranges:
                    - from: 110
                      to: 120