ip arp inspection validate src-mac dst-mac ip
Enable validation of source MAC, destination MAC, and IP addresses in ARP packets to prevent ARP spoofing attacks on trusted ports.
ip arp inspection validate src-mac dst-mac ipWhen to Use This Command
- Prevent ARP cache poisoning by validating that the source MAC in the Ethernet header matches the sender MAC in the ARP body on a trusted port.
- Ensure that the destination MAC in the Ethernet header matches the target MAC in the ARP body for ARP replies.
- Validate that the IP addresses in ARP packets are not invalid (e.g., broadcast or multicast addresses) to block malformed ARP packets.
- Use in combination with DHCP snooping to enforce IP-to-MAC binding consistency.
Command Examples
Enable full ARP inspection validation globally
ip arp inspection validate src-mac dst-mac ipNo output is generated upon successful configuration. The command enables all three validation checks: source MAC, destination MAC, and IP address validation.
Verify ARP inspection validation settings
show ip arp inspectionSource MAC Validation : Enabled Destination MAC Validation : Enabled IP Address Validation : Enabled Vlan Configuration Operation ACL Match Static ACL ---- -------------- --------- --------- ---------- 1 Enabled Active 10 Enabled Active 20 Disabled Inactive Vlan ACL Logging DHCP Snooping ---- -------------- --------------- 1 Deny Enabled 10 Deny Enabled 20 Deny Disabled
The first three lines show the validation status for each check type. The table shows per-VLAN ARP inspection status: 'Configuration' is the configured state, 'Operation' is the actual operational state (Active/Inactive). 'ACL Match' shows if an ACL is applied. 'Static ACL' shows if a static ACL is used. 'ACL Logging' shows logging action. 'DHCP Snooping' indicates whether DHCP snooping is enabled on the VLAN.
Understanding the Output
The 'show ip arp inspection' command displays the validation status for source MAC, destination MAC, and IP address. Each should show 'Enabled' if configured. The per-VLAN table shows the configured and operational state; 'Active' means ARP inspection is running on that VLAN. 'ACL Match' indicates if an ACL is applied to filter ARP packets. 'Static ACL' shows if a static ACL is used instead of DHCP snooping. 'ACL Logging' shows the logging action (Deny/Log). 'DHCP Snooping' indicates if DHCP snooping is enabled on the VLAN, which is required for dynamic ARP inspection to work. If a VLAN shows 'Inactive', check that DHCP snooping is enabled and that the VLAN is not shutdown.
CCNA Exam Tips
CCNA 200-301: ARP inspection validation must be enabled globally; the command 'ip arp inspection validate src-mac dst-mac ip' enables all three checks at once.
CCNA 200-301: ARP inspection only works on VLANs where DHCP snooping is enabled; without DHCP snooping, you must use static ACLs.
CCNA 200-301: The 'show ip arp inspection' command shows per-VLAN status; look for 'Active' to confirm it's working.
CCNA 200-301: Remember that ARP inspection validates only on trusted ports; untrusted ports are where validation occurs.
Common Mistakes
Mistake 1: Enabling ARP inspection without DHCP snooping on the VLAN, causing the operation to remain 'Inactive'.
Mistake 2: Forgetting to configure the 'ip arp inspection validate' command globally, so no validation checks are performed even if ARP inspection is enabled per VLAN.
Mistake 3: Applying ARP inspection to a VLAN that has no trusted ports defined, causing all ARP packets to be dropped.
Related Commands
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions