Skip to content

ARP

Address Resolution Protocol (ARP) is a fundamental Layer 2 protocol that maps IP addresses to MAC addresses within local network segments, enabling communication between devices on the same subnet. It maintains an ARP table (cache) of IP-to-MAC address mappings and includes security features like ARP inspection to prevent ARP spoofing attacks. Additional ARP features include configurable timeouts, proxy ARP for inter-subnet communication, and inspection filters to enhance network security and performance.

Diagram

Diagram

Classes

configuration (iosxe.devices)

NameTypeConstraintMandatoryDefault Value
arpClass[arp]No

arp (iosxe.devices.configuration)

NameTypeConstraintMandatoryDefault Value
incomplete_entriesIntegermin: 1, max: 2147483647No
proxy_disableBooleantrue, falseNo
entry_learnIntegermin: 255, max: 512000No
inspection_filtersList[inspection_filters]No
inspection_validate_src_macBooleantrue, falseNo
inspection_validate_dst_macBooleantrue, falseNo
inspection_validate_ipBooleantrue, falseNo
inspection_validate_allow_zerosBooleantrue, falseNo
inspection_log_buffer_entriesIntegermin: 0, max: 1024No
inspection_log_buffer_logs_entriesIntegermin: 0, max: 1024No
inspection_log_buffer_logs_intervalIntegermin: 0, max: 86400No
inspection_vlanStringNo

inspection_filters (iosxe.devices.configuration.arp)

NameTypeConstraintMandatoryDefault Value
nameStringYes
vlansList[vlans]No

vlans (iosxe.devices.configuration.arp.inspection_filters)

NameTypeConstraintMandatoryDefault Value
vlan_rangeStringYes
staticBooleantrue, falseNo

By configuring ARP parameters, including inspection, validation, and filters, network administrators can enhance network security, prevent spoofing attacks, and ensure efficient address resolution. These configurations are crucial for maintaining the integrity of local network segments.

ARP Parameters:

  • Incomplete Entries Timeout
  • Proxy ARP Disable
  • Entry Learn Limit
  • Inspection Validate Source MAC
  • Inspection Validate Destination MAC
  • Inspection Validate IP
  • Inspection Validate Allow Zeros
  • Inspection Log Buffer Entries
  • Inspection Log Buffer Logs Entries
  • Inspection Log Buffer Logs Interval
  • Inspection VLANs (Deprecated, use Filters)
  • Inspection Filters (Name, VLAN Range, Static/Dynamic)

You can use these ARP parameters to define precise address resolution behavior and security policies for your network devices. Customize the timeouts, validation rules, and inspection filters to fit your network’s security and operational needs. Adjusting these parameters lets you tailor ARP control for your environment.

Sample Configuration:

The following configuration describes how to set up ARP inspection and related parameters on an IOS-XE device. It lists how to define validation rules, logging, and inspection filters.

ip arp inspection vlan 10,20-30
ip arp inspection validate src-mac dst-mac ip
ip arp inspection log-buffer entries 512
ip arp inspection log-buffer logs 100 interval 300
ip arp inspection filter TRUSTED_HOSTS vlan 20-30
ip arp inspection filter TRUSTED_HOSTS vlan 10 static
ip arp inspection filter GUEST_NETWORK vlan 100-110

Example Code:

iosxe:
devices:
- name: Device1
configuration:
arp:
incomplete_entries: 1000
proxy_disable: false
entry_learn: 8000
inspection_validate_src_mac: true
inspection_validate_dst_mac: true
inspection_validate_ip: true
inspection_validate_allow_zeros: false
inspection_log_buffer_entries: 512
inspection_log_buffer_logs_entries: 100
inspection_log_buffer_logs_interval: 300
inspection_vlan: "10,20-30"
inspection_filters:
- name: TRUSTED_HOSTS
vlans:
- vlan_range: "10"
static: true
- vlan_range: "20-30"
static: false
- name: GUEST_NETWORK
vlans:
- vlan_range: "100-110"