ARP Commands
arp (global)
To add a permanent entry in the Address Resolution Protocol (ARP) cache, use the arp command in global configuration mode. To remove an entry from the ARP cache, use the noform of this command.
arp {ip-address | vrf vrf-name} hardware-address encap-type [interface-type]
no arp {ip-address | vrf vrf-name} hardware-address encap-type [interface-type]
Syntax Description
Defaults
No entries are permanently installed in the ARP cache.
Command Modes
Global configuration
Command History
Usage Guidelines
The Cisco IOS software uses ARP cache entries to translate 32-bit IP addresses into 48-bit hardware addresses.
Because most hosts support dynamic resolution, you generally need not specify static ARP cache entries.
To remove all nonstatic entries from the ARP cache, use the clear arp-cache privileged EXEC command.
Examples
The following is an example of a static ARP entry for a typical Ethernet host:
arp 10.31.7.19 0800.0900.1834 arpa
Related Commands
arp (interface)
To support a type of encapsulation for a specific network, such as Ethernet, Fiber Distributed Data Interface (FDDI), Frame Relay, and Token Ring, so that the 48-bit Media Access Control (MAC) address can be matched to a corresponding 32-bit IP address for address resolution, use the arp command in interface configuration mode. To disable an encapsulation type, use the no form of this command.
arp {arpa | frame-relay | snap}
no arp {arpa | frame-relay | snap}
Syntax Description
arpa | Standard Ethernet-style Address Resolution Protocol (ARP) (RFC 826). |
frame-relay | Enables ARP over a Frame Relay encapsulated interface. |
snap | ARP packets conforming to RFC 1042. |
Defaults
Standard Ethernet-style ARP
Command Modes
Interface configuration
Command History
Usage Guidelines
Unlike most commands that have multiple arguments, the arp command has arguments that are not mutually exclusive. Each command enables or disables a specific type of encapsulation.
Given a network protocol address (IP address), the arp frame-relay command determines the corresponding hardware address, which would be a data-link connection identifier (DLCI) for Frame Relay.
The show interfaces EXEC command displays the type of encapsulation being used on a particular interface. To remove all nonstatic entries from the ARP cache, use the clear arp-cache privileged EXEC command.
Examples
The following example enables Frame Relay services:
interface ethernet 0
arp frame-relay
Related Commands
Command | Description |
|---|---|
clear arp-cache | Deletes all dynamic entries from the ARP cache. |
show interfaces | Displays statistics for all interfaces configured on the router or access server. |
arp access-list
To configure an Address Resolution Protocol access control list (ARP ACL) for ARP inspection and QoS filtering and enter the ARP ACL configuration submode, use the arp access-list command in global configuration mode. To remove the ARP ACL, use the no form of this command.
arp access-list name
no arp access-list name
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Usage Guidelines
Once you are in the ARP ACL configuration submode, you can add permit or deny clauses to permit or deny QoS to the flows. The following syntax is available in the ARP QoS ACL configuration submode for QoS filtering; all other configurations will be rejected at the time of the policy-map attachment to the interfaces:
{permit | deny} ip {any | host sender-ip [sender-ip-mask]} mac any
no {permit | deny} ip {any | host sender-ip [sender-ip-mask]} mac any
Once you are in the ARP ACL configuration submode, the following configuration commands are available for ARP inspection:
•
default—Sets a command to its defaults. You can use the deny and permit keywords and arguments to configure the default settings.
•deny—Specifies the packets to reject.
•exit—Exits the ACL configuration mode.
•no—Negates a command or set its defaults.
•permit— Specifies the packets to forward.
You can enter the permit or deny keywords to configure the permit or deny clauses to forward or drop ARP packets based on some matching criteria. The syntax for the permit anddeny keywords are as follows:
{permit | deny} ip {any | host sender-ip [sender-ip sender-ip-mask]} mac {any | host sender-mac [sender-mac-mask]} [log]
{permit | deny} request ip {any | host sender-ip [sender-ip-mask]} mac {any | host sender-mac [sender-mac-mask]} [log]
{permit | deny} response ip {any | host sender-ip [sender-ip-mask]} [any | host target-ip [target-ip-mask]] mac {any | host sender-mac [sender-mac-mask]} [any | host target-mac[target-mac-mask]] [log]
If you enter the ip keyword without the request or response keywords, the configuration applies to both requests and responses.
Once you define an ARP ACL, you can apply it to VLANs using the ip arp inspection filter command for ARP inspection.
Incoming ARP packets are compared against the ARP access list, and packets are permitted only if the access list permits them. If access lists deny packets because of explicit denies, they are dropped. If packets get denied because of the implicit deny, they are matched against the list of DHCP bindings, unless the access list is static or the packets are not compared against the bindings.
When a ARP access list is applied to a VLAN for dynamic ARP inspection, the ARP packets containing only IP-to-Ethernet MAC bindings are compared against the ACLs. All other type of packets are bridged in the incoming VLAN without any validation.
ACL entries are scanned in the order that you enter them. The first matching entry is used. To improve performance, place the most commonly used entries near the beginning of the ACL.
An implicit deny ip any mac any entry exists at the end of an ACL unless you include an explicit permit ip any mac any entry at the end of the list.
All new entries to an existing list are placed at the end of the list. You cannot add entries to the middle of a list.
Examples
This example shows how to create a new ARP ACL or enter the submode of an existing ARP ACL:
Router(config)# arp access-list arpacl22
Router(config-arp-nacl)#
This example shows how to create an ARP ACL named arp_filtering that denies QoS but permits MAC-layer ARP traffic:
Router(config)# arp access-list arp_filtering
Router(config-arp-nacl)# permit ip host 10.1.1.1 mac any
Router(config-arp-nacl)# deny ip any mac any
Router(config-arp-nacl)#
Related Commands
arp authorized
To disable dynamic Address Resolution Protocol (ARP) learning on an interface, use the arp authorized command in interface configuration mode. To reenable dynamic ARP learning, use the no form of this command.
arp authorized
no arp authorized
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Interface configuration
Command History
Release | Modification |
|---|---|
12.3(4)T | This command was introduced. |
12.2(33)SRC | This command was integrated into Cisco IOS Release 12.2(33)SRC. |
Usage Guidelines
The arp authorized command disables dynamic ARP learning on an interface. This command enhances security in public wireless LANs (PWLANs) by limiting the leasing of IP addresses to mobile users and authorized users. The mapping of IP address to MAC address for an interface can be installed only by the authorized subsystem. Unauthorized clients cannot respond to ARP requests.
If both static and authorized ARP are installing the same ARP entry, the static configuration overrides the authorized ARP entry. To install a static ARP entry use the arp (global) command. A nondynamic ARP entry can only be removed by using the same method by which it was installed.
The arp authorized command can only be specified on Ethernet interfaces and for Dynamic Host Configuration Protocol (DHCP) networks.
Examples
The following example disables dynamic ARP learning on interface Ethernet 0:
interface Ethernet0
ip address 10.0.0.1 255.255.255.0
arp authorized
Related Commands
Command | Description |
|---|---|
arp (global) | Adds a permanent entry in the ARP cache. |
update arp | Secures dynamic ARP entries in the ARP table to their corresponding DHCP bindings. |
arp log threshold entries
To enable an Address Resolution Protocol (ARP) trap so that the ARP log is triggered when a specific number of dynamically learned entries is reached on the router interface, use thearp log threshold entries command in interface configuration mode. To disable the ARP trap for the interface, use the no form of this command.
arp log threshold entries entry-count
no arp log threshold entries
Syntax Description
entry-count | Triggers the ARP log service when the number of dynamically learned entries on the interface reaches this threshold. The range is from 1 to 2147483647. |
Command Default
ARP trap is disabled for the interface.
Command Modes
Interface configuration
Command History
Usage Guidelines
This command enables an ARP trap for the router interface. When the number of dynamically learned entries on the interface exceeds the preconfigured amount, an ARP event message is written to system message logging (syslog) output.
A high number of learned entries on the interface might indicate anomalies such as an attempt to breach security through an ARP attack on the router. The threshold at which to configure the ARP log service trigger should be determined heuristically, based on the expected number of nodes the router will serve and the number of hosts on the interface.
To display information about the setting configured by the arp log threshold entries command, use the show running-config command. If an ARP trap is enabled for a given interface, the information for that interface command includes the arp log threshold entries command, followed by the threshold value.
To display the syslog history statistics and buffer contents, use the show logging command.
Examples
The following example shows how to enable an ARP trap so that the ARP log is triggered when 50 dynamically learned entries is reached on the Ethernet interface at slot 2, port 1:
Router(config)# interface ethernet2/1
Router(config-if)# arp log threshold entries 50
The following sample output from the show logging command shows that the ARP trap entry was triggered when 50 dynamic ARP entries was reached on the Ethernet interface at slot 2, port 1:
Router# show logging
Syslog logging: enabled (0 messages dropped, 39 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 309 messages logged, xml disabled,
filtering disabled
Exception Logging: size (8192 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
Trap logging: level informational, 312 message lines logged
Log Buffer (65536 bytes):
Jan 27 18:27:32.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 10:27:31 PST Fri Jan 27 2006 to 10:27:32 PST Fri Jan 27 2006, configured from console by console.
Jan 27 18:27:32.431: %SYS-5-CONFIG_I: Configured from console by console
Jan 27 18:27:34.051: %ARP-4-TRAPENTRY: 50 dynamic ARP entries on Ethernet2/1 installed in the ARP table
Related Commands
arp packet-priority enable
To enable Address Resolution Protocol (ARP) packet priority on an interface, use the arp packet-priority enable command in interface configuration mode. To disable ARP packet priority, use the no form of this command.
arp packet-priority enable
no arp packet-priority enable
Syntax Description
This command has no arguments or keywords.
Command Default
By default, ARP packet priority is not enabled.
Command Modes
Interface configuration (config-if)
Command History
Release | Modification |
|---|---|
15.1(3)T | This command was introduced. |
15.1(1)S | This command was integrated into Cisco IOS Release 15.1(1)S. |
Usage Guidelines
Use the arp packet-priority enable command when a network congestion causes ARP packets to drop. Enabling ARP packet priority significantly reduces the number of ARP packet drops.
Before you configure the arp packet-priority enable command, you must configure an IP address for the interface and ensure that the interface is enabled. If the interface is disabled, use the no shutdown command to enable the interface.
Examples
The following example shows how to enable packet priority on a Fast Ethernet interface:
Router(config)# interface FastEthernet0/1
Router(config-if)# no shutdown
Router(config-if)# ip address 198.51.100.253 255.255.255.0
Router(config-if)# arp packet-priority enable
Related Commands
Command | Description |
|---|---|
interface | Configures an interface and enters interface configuration mode. |
ip address | Sets a primary or secondary IP address for an interface. |
shutdown (interface) | Disables an interface. |
arp probe interval
To control the the probing of authorized peers, use the arp probe interval command in interface configuration mode. To disable the probe, use the no form of this command.
arp probe interval seconds count count-number
no arp probe
Syntax Description
Defaults
Disabled
Command Modes
Interface configuration
Command History
Release | Modification |
|---|---|
12.3(8)XX | This command was introduced. |
12.3(14)T | This command was integrated into Cisco IOS Release 12.3(14)T. |
Usage Guidelines
Once you configure the arp probe interval command, probing continues until you disable it using the no form of the command on all interfaces.
Examples
The following example shows a 2 second interval with a probe of the peer occurring 5 times:
interface ethernet 0
arp probe interval 2 count 5
Related Commands
arp timeout
To configure how long a dynamically learned IP address and its corresponding Media Control Access (MAC) address remain in the Address Resolution Protocol (ARP) cache, use thearp timeout command in interface configuration mode. To restore the default value, use the no form of this command.
arp timeout seconds
no arp timeout seconds
Syntax Description
seconds | Time (in seconds) that an entry remains in the ARP cache. A value of zero means that entries are never cleared from the cache. |
Defaults
14400 seconds (4 hours)
Command Modes
Interface configuration
Command History
Usage Guidelines
This command is ignored when issued on interfaces that do not use ARP. The show interfaces EXEC command displays the ARP timeout value. The value follows the "Entry Timeout:" heading, as seen in the following example from the show interfaces command:
ARP type: ARPA, PROBE, Entry Timeout: 14400 sec
Examples
The following example sets the ARP timeout to 12000 seconds to allow entries to time out more quickly than the default:
interface ethernet 0
arp timeout 12000
Related Commands
Command | Description |
|---|---|
show interfaces | Displays statistics for all interfaces configured on the router or access server. |
clear arp-cache
To refresh dynamically created entries from the Address Resolution Protocol (ARP) cache, use the clear arp-cache command in privileged EXEC mode.
clear arp-cache [interface type number | [vrf vrf-name] ip-address]
Syntax Description
Command Default
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command updates the dynamically learned IP address and MAC address mapping information in the ARP table to ensure the validity of those entries. If the refresh operation encounters any stale entries (dynamic ARP entries that have expired but have not yet been aged out by an internal, timer-driven process), those entries are aged out of the ARP table immediately as opposed to at the next refresh interval.
Note By default, dynamically learned ARP entries remain in the ARP table for four minutes.
The clear arp-cache command can be entered multiple times to refresh dynamically created entries from the ARP cache using different selection criteria.
•Use this command without any arguments or keywords to refresh all ARP cache entries for all enabled interfaces.
•To refresh ARP cache entries for a specific interface, use this command with the interface keyword and type and number arguments.
Tip The valid interface types and numbers can vary according to the router and the interfaces on the router. To list all the interfaces configured on a particular router, use theshow interfaces command with the summary keyword. Use the appropriate interface specification, typed exactly as it is displayed under the Interface column of the show interfaces command output, to replace the type and number arguments in the clear arp-cache interface command.
•To refresh ARP cache entries from the global VRF and for a specific host, use this command with the ip-address argument.
•To refresh ARP cache entries from a named VRF and for a specific host, use this command with the vrf keyword and the vrf-name and ip-address arguments.
To display ARP table entries, use the show arp command.
This command does not affect permanent entries in the ARP cache, and it does not affect the ARP HA statistics.
•To remove static ARP entries from the ARP cache, use the no form of the arp command.
•To remove alias ARP entries from the ARP cache use the no form of the arp command with the alias keyword.
•To reset the ARP HA status and statistics, use the clear arp-cache counters ha command.
Examples
The following example shows how to refresh all dynamically learned ARP cache entries for all enabled interfaces:
Router# clear arp-cache
The following example shows how to refresh dynamically learned ARP cache entries for the Ethernet interface at slot 1, port 2:
Router# clear arp-cache interface ethernet1/2
The following example shows how to refresh dynamically learned ARP cache entries for the host at 192.0.2.140:
Router# clear arp-cache 192.0.2.140
The following example shows how to refresh dynamically learned ARP cache entries from the VRF named vpn3 and for the host at 192.0.2.151:
Router# clear arp-cache vrf vpn3 192.0.2.151
Related Commands
clear arp-cache counters ha
To reset the Address Resolution Protocol (ARP) high availability (HA) statistics, use the clear arp-cache counters ha command in privileged EXEC mode.
clear arp-cache counters ha
Syntax Description
This command has no arguments or keywords.
Command Default
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the clear arp-cache counters ha command to reset all ARP high availability statistics for all enabled interfaces.
To display the ARP HA status and statistics, use the show arp ha command.
Note The clear arp-cache counters ha command and the show arp ha command are available only on HA-capable platforms (that is, Cisco networking devices that support dual Route Processors [RPs]).
Examples
The following example shows how to reset the ARP HA statistics:
Router# clear arp-cache counters ha
Related Commands
Command | Description |
|---|---|
clear arp-cache | Refreshes dynamically learned entries in the ARP cache. |
show arp ha | Displays the ARP HA status and statistics. |
clear arp interface
To clear the entire Address Resolution Protocol (ARP) cache on an interface, use the clear arp interface command in privileged or user EXEC mode.
clear arp interface type number
Syntax Description
Defaults
No default behavior or values.
Command Modes
Privileged or User EXEC
Command History
Usage Guidelines
Use the clear arp interface command to clean up ARP entries associated with an interface.
Examples
The following example clears the ARP cache from Ethernet interface 0:
Router# clear arp interface ethernet 0
clear ip arp inspection log
To clear the status of the log buffer, use the clear ip arp inspection log command in privileged EXEC mode.
clear ip arp inspection log
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
Release | Modification |
|---|---|
12.2(18)SXE | Support for this command was introduced on the Supervisor Engine 720. |
12.2(33)SRA | This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Examples
This example shows how to clear the contents of the log buffer:
Router# clear ip arp inspection log
Related Commands
clear ip arp inspection statistics
To clear the dynamic ARP inspection statistics, use the clear ip arp inspection statistics command in privileged EXEC mode.
clear ip arp inspection statistics [vlan vlan-range]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
Release | Modification |
|---|---|
12.2(18)SXE | Support for this command was introduced on the Supervisor Engine 720. |
12.2(33)SRA | This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Examples
This example shows how to clear the DAI statistics from VLAN 1:
Router# clear ip arp inspection statistics vlan 1
Related Commands
ip arp entry learn
To specify the maximum number of learned Address Resolution Protocol (ARP) entries, use the ip arp entry learn command in global configuration mode. To return to the default settings, use the no form of this command.
ip arp entry learn max-limit
no ip arp entry learn max-limit
Syntax Description
Command Default
No maximum number of learned ARP entries is defined.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The ip arp entry learn command is available on the Cisco 7600 series routers, which can support a maximum limit of learned ARP entries of 256,000. If a memory card is installed on the router the maximum limit is extended to 512,000.
When the number of ARP entries that can be created by the system is not limited, memory exhaustion can cause system instability. The ip arp entry learn command overcomes this problem by defining a maximum number of learned ARP entries.
The limit is not enforced on nonlearned entries. Upon reaching the learn ARP entry threshold limit, or 80 percent of the configured maximum limit, the system will generate a syslog message with a priority set to Level 3 (LOG_NOTICE). Upon reaching the configured maximum limit, the system starts discarding newly learned ARP entries and generates a syslog message. The priority will be set to Level 3 (LOG_NOTICE). The system administrator will have to take appropriate action.
A syslog message is also generated when the number of learned ARP entries in the ARP table decreases from the maximum configured limit to the permit threshold limit, or 95 percent of the maximum configured limit to notify the system administrator that the ARP table is back to normal operation.
The default behavior of the system is not to enforce a maximum limit of learned ARP entries on the system.
When a user tries to configure a maximum limit value for the number of ARP entries that is lower than the current number of ARP entries in the system, the configuration will be rejected with an error message.
The following example configures a maximum limit of the number of learned ARP entries of 512,000:
Router# configure terminal
Router(config)# ip arp entry learn 512000
Related Commands
ip arp gratuitous
To enable the gratuitous Address Resolution Protocol (ARP) control on the router, use the ip arp gratuitous command in global configuration mode. To disable the ARP control, use the no form of this command.
ip arp gratuitous {local | none}
no ip arp gratuitous
Syntax Description
Command Default
Gratuitous ARP control is enabled.
Command Modes
Global configuration (config)
Command History
Examples
The following example shows how to enable the gratuitous ARP control to accept only local (same subnet) gratuitous arp control:
Router> enable
Router# configure terminal
Router(config)# ip arp gratuitous local
Related Commands
ip arp incomplete
To rectify the Address Resolution Protocol (ARP) retry parameters, use the ip arp incomplete command in global configuration mode. To disable the correction of the retry parameters, use the no form of this command.
ip arp incomplete {entries number-of-IP-addresses | retry number-of-times}
no ip arp incomplete {entries | retry}
Syntax Description
Command Modes
Global configuration (config)
Command History
Release | Modification |
|---|---|
15.0(1)M | This command was introduced in a release earlier than Cisco IOS Release 15.0(1)M. |
Usage Guidelines
An incomplete ARP entry is learned through an ARP request but has not yet been completed with the MAC address of the external host.
Examples
The following example shows how to limit the number of unresolved addresses:
Router> enable
Router# configure terminal
Router(config)# ip arp incomplete entries 100
Related Commands
ip arp inspection filter vlan
To permit ARPs from hosts that are configured for static IP when DAI is enabled and to define an ARP access list and apply it to a VLAN, use the ip arp inspection filter vlan command in global configuration mode. To disable this application, use the no form of this command.
ip arp inspection filter arp-acl-name vlan vlan-range [static]
no ip arp inspection filter arp-acl-name vlan vlan-range [static]
Syntax Description
Defaults
No defined ARP ACLs are applied to any VLAN.
Command Modes
Global configuration
Command History
Release | Modification |
|---|---|
12.2(18)SXE | Support for this command was introduced on the Supervisor Engine 720. |
12.2(33)SRA | This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
For vlan-range, you can specify the VLAN to which the switches and hosts belong. You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma.
When an ARP access control list is applied to a VLAN for dynamic ARP inspection, the ARP packets containing only the IP-to-Ethernet MAC bindings are compared against the ACLs. All other packet types are bridged in the incoming VLAN without validation.
This command specifies that the incoming ARP packets are compared against the ARP access control list, and the packets are permitted only if the access control list permits them.
If the access control lists deny the packets because of explicit denies, the packets are dropped. If the packets are denied because of an implicit deny, they are then matched against the list of DHCP bindings if the ACL is not applied statically.
If you do not specify the static keyword, it means that there is no explicit deny in the ACL that denies the packet, and DHCP bindings determine whether a packet is permitted or denied if the packet does not match any clauses in the ACL.
Examples
This example shows how to apply the ARP ACL static-hosts to VLAN 1 for DAI:
Router(config)# ip arp inspection filter static-hosts vlan 1
Related Commands
ip arp inspection limit (interface configuration)
To limit the rate of incoming ARP requests and responses on an interface and prevent DAI from consuming all of the system's resources in the event of a DoS attack, use the ip arp inspection limit command in interface configuration mode. To return to the default settings, use the no form of this command.
ip arp inspection limit rate pps [burst interval seconds | none]
no ip arp inspection limit
Syntax Description
Defaults
The default settings are as follows:
•The rate pps is set to 15 packets per second on the untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.
•The rate is unlimited on all the trusted interfaces.
•The burst interval seconds is set to 1 second.
Command Modes
Interface configuration
Command History
Release | Modification |
|---|---|
12.2(18)SXE | Support for this command was introduced on the Supervisor Engine 720. |
12.2(33)SRA | This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
You should configure the trunk ports with higher rates to reflect their aggregation. When the rate of the incoming packets exceeds the user-configured rate, the interface is placed into an error-disabled state. You can use the error-disable timeout feature to remove the port from the error-disabled state. The rate applies to both the trusted and nontrusted interfaces. Configure appropriate rates on trunks to handle the packets across multiple DAI-enabled VLANs, or use the none keyword to make the rate unlimited.
The rate of the incoming ARP packets on the channel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for the channel ports only after examining the rate of the incoming ARP packets on the channel members.
After a switch receives more than the configured rate of packets every second consecutively over a period of burst seconds, the interface is placed into an error-disabled state.
Examples
This example shows how to limit the rate of the incoming ARP requests to 25 packets per second:
Router# configur terminal
Router(config)# interface fa6/3
Router(config-if)# ip arp inspection limit rate 25
This example shows how to limit the rate of the incoming ARP requests to 20 packets per second and to set the interface monitoring interval to 5 consecutive seconds:
Router# configure terminal
Router(config)# interface fa6/1
Router(config-if)# ip arp inspection limit rate 20 burst interval 5
Related Commands
ip arp inspection log-buffer
To configure the parameters that are associated with the logging buffer, use the ip arp inspection log-buffer command in global configuration mode. To disable the parameters, use the no form of this command.
ip arp inspection log-buffer {entries number | logs number interval seconds}
no ip arp inspection log-buffer {entries | logs}
Syntax Description
Defaults
The default settings are as follows:
•When dynamic ARP inspection is enabled, denied, or dropped, the ARP packets are logged.
•The entries number is 32.
•The logs number is 5 per second.
•The interval seconds is 1 second.
Command Modes
Global configuration
Command History
Release | Modification |
|---|---|
12.2(18)SXE | Support for this command was introduced on the Supervisor Engine 720. |
12.2(33)SRA | This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
A 0 value for the logs number indicates that the entries should not be logged out of this buffer.
A 0 value for the interval seconds keyword and argument indicates an immediate log.
You cannot enter a 0 for both the logs number and the interval seconds keywords and arguments.
The first dropped packet of a given flow is logged immediately. The subsequent packets for the same flow are registered but are not logged immediately. Registration for these packets occurs in a log buffer that is shared by all the VLANs. Entries from this buffer are logged on a rate-controlled basis.
Examples
This example shows how to configure the logging buffer to hold up to 45 entries:
Router# configure terminal
Router(config)# ip arp inspection log-buffer entries 45
This example shows how to configure the logging rate for 10 logs per 3 seconds:
Router(config)# ip arp inspection log-buffer logs 10 interval 3
Related Commands
ip arp inspection trust
To set a per-port configurable trust state that determines the set of interfaces where incoming ARP packets are inspected, use the ip arp inspection trust command in interface configuration mode. To make the interfaces untrusted, use the no form of this command.
ip arp inspection trust
no ip arp inspection trust
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Interface configuration
Command History
Release | Modification |
|---|---|
12.2(18)SXE | Support for this command was introduced on the Supervisor Engine 720. |
12.2(33)SRA | This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Examples
This example shows how to configure an interface to be trusted:
Router# configure terminal
Router(config)# interface fastEthernet 6/3
Router(config-if)# ip arp inspection trust
Related Commands
ip arp inspection validate
To perform specific checks for ARP inspection, use the ip arp inspection validate command in global configuration mode. To disable ARP inspection checks, use the no form of this command.
ip arp inspection validate [src-mac] [dst-mac] [ip]
no ip arp inspection validate [src-mac] [dst-mac] [ip]
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Release | Modification |
|---|---|
12.2(18)SXE | Support for this command was introduced on the Supervisor Engine 720. |
12.2(33)SRA | This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
The sender IP addresses are checked in all ARP requests and responses and target IP addresses are checked only in ARP responses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
The src-mac checks are issued against both ARP requests and responses. The dst-mac checks are issued for ARP responses.
Note When enabled, packets with different MAC addresses are classified as invalid and are dropped.
When enabling the checks, specify at least one of the keywords (src-mac, dst-mac, and ip) on the command line. Each command overrides the configuration of the previous command. If a command enables src and dst mac validations, and a second command enables IP validation only, the src and dst mac validations are disabled as a result of the second command.
The no form of this command disables only the specified checks. If no check options are enabled, all the checks are disabled.
Examples
This example shows how to enable the source MAC validation:
Router(config)# ip arp inspection validate src-mac
Related Commands
ip arp inspection vlan
To enable DAI on a per-VLAN basis, use the ip arp inspection vlan command in global configuration mode. To disable DAI, use the no form of this command.
ip arp inspection vlan vlan-range
no ip arp inspection vlan vlan-range
Syntax Description
Defaults
ARP inspection is disabled on all VLANs.
Command Modes
Global configuration
Command History
Release | Modification |
|---|---|
12.2(18)SXE | Support for this command was introduced on the Supervisor Engine 720. |
12.2(33)SRA | This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
For vlan-range, you can specify a single VLAN identified by a VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma.
You must specify on which VLANs to enable DAI. DAI may not function on the configured VLANs if the VLAN has not been created or is a private VLAN.
Examples
This example shows how to enable DAI on VLAN 1:
Router(config)# ip arp inspection vlan 1
Related Commands
ip arp inspection vlan logging
To control the type of packets that are logged, use the ip arp inspection vlan logging command in global configuration mode. To disable this logging control, use the no form of this command.
ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {permit | all | none}}
no ip arp inspection vlan vlan-range logging {acl-match | dhcp-bindings}
Syntax Description
Defaults
All denied or dropped packets are logged.
Command Modes
Global configuration
Command History
Release | Modification |
|---|---|
12.2(18)SXE | Support for this command was introduced on the Supervisor Engine 720. |
12.2(33)SRA | This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
By default, the matchlog keyword is not available on the ACEs. When you enter the matchlog keyword, denied packets are not logged. Packets are logged only when they match against an ACE that has the matchlog keyword.
The acl-match and dhcp-bindings keywords merge with each other. When you set an ACL match configuration, the DHCP bindings configuration is not disabled. You can use the noform of this command to reset some of the logging criteria to their defaults. If you do not specify either option, all the logging types are reset to log on when the ARP packets are denied. The two options that are available are as follows:
•acl-match—Logging on ACL matches is reset to log on deny.
•dhcp-bindings—Logging on DHCP bindings is reset to log on deny.
Examples
This example shows how to configure an ARP inspection on VLAN 1 to add packets to a log that matches the ACLs:
Router(config)# ip arp inspection vlan 1 logging acl-match matchlog
Related Commands
ip arp proxy disable
To globally disable proxy Address Resolution Protocol (ARP), use the ip arp proxy disable command in global configuration mode. To reenable proxy ARP, use the no form of this command.
ip arp proxy disable
no ip arp proxy disable
Syntax Description
This command has no arguments or keywords.
Command Default
Proxy ARP is enabled.
Command Modes
Global configuration
Command History
Release | Modification |
|---|---|
12.2 S | This command was introduced. |
12.3(11)T | This command was integrated into 12.3(11)T. |
12.2 (18)SXE | This command was integrated into 12.2(18)SXE. |
Usage Guidelines
The ip arp proxy disable command overrides any proxy ARP interface configuration. The default ip arp proxy command returns proxy ARP to the default behavior, which is enabled.
Examples
The following example disables proxy ARP:
ip arp proxy disable
The following example enables proxy ARP:
no ip arp proxy disable
Related Commands
ip gratuitous-arps
To enable the transmission of gratuitous Address Resolution Protocol (ARP) messages for an address in an address pool if the transmission has been disabled, use the ip gratuitous-arps command in global configuration mode. To disable the transmission, use the no form of this command.
ip gratuitous-arps [non-local]
no ip gratuitous-arps
Syntax Description
Command Default
Gratuitous ARP messages are not sent out when the client receives the address from the local address pool.
Command Modes
Global configuration
Command History
Usage Guidelines
A Cisco router will send out a gratuitous ARP message out of all interfaces when a client connects and negotiates an address over a PPP connection. However, by default, gratuitous ARP messages are not sent out when the client receives the address from the local address pool. The ip gratuitous-arps non-local command option is the default form and is not saved in the running configuration.
Cisco 10000 Series Router
To maximize the performance of the router, disable gratuitous ARP requests using the no ip gratuitous-arps command.
Examples
The following example enables the sending of gratuitous ARP messages if the transmission has been disabled:
ip gratuitous-arps
ip local-proxy-arp
To enable the local proxy Address Resolution Protocol (ARP) feature, use the ip local-proxy-arp command in interface configuration mode. To disable this feature, use the no form of this command.
ip local-proxy-arp
no ip local-proxy-arp
Syntax Description
This command has no arguments or keywords.
Defaults
This command is not enabled by default.
Command Modes
Interface configuration
Command History
Usage Guidelines
The local proxy ARP feature allows the Multilayer Switching Feature Card (MSFC) to respond to ARP requests for IP addresses within a subnet where normally no routing is required. With the local proxy ARP feature enabled, the MSFC responds to all ARP requests for IP addresses within the subnet and forwards all traffic between hosts in the subnet. Use this feature only on subnets where hosts are intentionally prevented from communicating directly to the Catalyst 6500 series switch on which they are connected.
Before the local proxy ARP feature can be used, the IP proxy ARP feature must be enabled. The IP proxy ARP feature is enabled by default.
Internet Control Message Protocol (ICMP) redirects are disabled on interfaces where the local proxy ARP feature is enabled.
Examples
The following example shows how to enable the local proxy ARP feature:
ip local-proxy-arp
ip proxy-arp
To enable proxy Address Resolution Protocol (ARP) on an interface, use the ip proxy-arp command in interface configuration mode. To disable proxy ARP on the interface, use the noform of this command.
ip proxy-arp
no ip proxy-arp
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
Interface configuration
Command History
Usage Guidelines
The ip arp proxy disable command overrides any proxy ARP interface configuration.
Examples
The following example enables proxy ARP on Ethernet interface 0:
interface ethernet 0
ip proxy-arp
Related Commands
ip sticky-arp (global configuration)
To enable sticky ARP, use the ip sticky-arp command in global configuration mode. To disable sticky ARP, use the no form of this command.
ip sticky-arp
no ip sticky-arp
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
Global configuration
Command History
Usage Guidelines
In releases prior to Release 12.2(18)SXF, sticky ARP was supported on PVLAN interfaces only.
You can enter the ip sticky-arp (interface configuration) command to disable sticky ARP on a specific interface.
ARP entries that are learned on Layer 3 interfaces are sticky ARP entries. We recommend that you display and verify ARP entries on the Layer 3 interface using the show arp command.
For security reasons, sticky ARP entries on the Layer 3 interface do not age out. Connecting new equipment with the same IP address generates a message and the ARP entry is not created.
Because the ARP entries on the Layer 3 interface do not age out, you must manually remove ARP entries on the Layer 3 interface if a MAC address changes.
Unlike static entries, sticky-ARP entries are not stored and restored when you enter the reboot and restart commands.
Examples
This example shows how to enable sticky ARP:
Router(config) ip sticky-arp
This example shows how to disable sticky ARP:
Router(config) no ip sticky-arp
Related Commands
Command | Description |
|---|---|
arp | Enables ARP entries for static routing over the SMDS network. |
ip sticky-arp (interface configuration) | Enables sticky ARP on an interface. |
show arp | Displays the ARP table. |
ip sticky-arp (interface configuration)
To enable sticky ARP on an interface, use the ip sticky-arp command in interface configuration mode. To disable sticky ARP on an interface, use the no form of this command.
ip sticky-arp [ignore]
no ip sticky-arp [ignore]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Interface configuration
Command History
Release | Modification |
|---|---|
12.2(18)SXF | Support for this command was introduced on the Supervisor Engine 720. |
12.2(33)SRA | This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
You can enter this command on any Layer 3 interface.
You can enter the ip sticky-arp ignore command to overwrite the PVLAN sticky-ARP global configuration on a specific interface.
Examples
This example shows how to enable sticky ARP on an interface:
Router(config-if) ip sticky-arp
This example shows how to remove the previously configured command on an interface:
Router(config-if) no ip sticky-arp
This example shows how to disable sticky ARP on an interface:
Router(config-if) ip sticky-arp ignore
Related Commands
Command | Description |
|---|---|
arp | Enables ARP entries for static routing over the SMDS network. |
ip sticky-arp (global configuration) | Enables sticky ARP. |
show arp | Displays the ARP table. |
logging server-arp
To enable the sending of Address Resolution Protocol (ARP) requests for syslog server address during system initialization bootup, use the logging server-arp command in global configuration mode. To disable the sending of ARP requests for syslog server addresses, use the no form of this command.
logging server-arp
no logging server-arp
Syntax Description
This command has no arguments or keywords.
Command Default
This command is disabled by default.
Command Modes
Global configuration.
Command History
Release | Modification |
|---|---|
12.3 | This command was introduced. |
12.3(4)T | This command was integrated into Cisco IOS Release 12.3(4)T. |
12.3(5)B | This command was integrated into Cisco IOS Release 12.3(5)B. |
Usage Guidelines
The logging server-arp global configuration command allows the sending of ARP requests for syslog server addresses during system initialization bootup.
When this CLI command is configured and saved to the startup configuration file, the system will send an ARP request for remote syslog server address before sending out the first syslog message.
The command should only be used when the remote syslog server is in the same subnet as the system router sending the ARP request.
Note Use this command even if a static ARP has been configured with the remote syslog server address.
Examples
The following example shows how to enable an ARP request for syslog server addresses:
Router# configure terminal
Router(config)# logging server-arp
Router(config)# exit
The following example shows how to disable an ARP request for syslog server addresses:
Router# configure terminal
Router(config)# no logging server-arp
Router(config)# exit
Related Commands
Command | Description |
|---|---|
arp (global) | Adds a permanent entry in the Address Resolution Protocol (ARP) cache, use the arp command in global configuration mode. |
no ip gratuitous-arps
To disable the transmission of gratuitous Address Resolution Protocol (ARP) messages for an address in a local pool, use the no ip gratuitous-arps command in global configuration mode.
no ip gratuitous-arps
Syntax Description
This command has no keywords or arguments.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
A Cisco router will send out a gratuitous ARP message when a client connects and negotiates an address over a PPP connection. This transmission occurs even when the client receives the address from a local address pool.
Examples
The following example disables gratuitous arp messages from being sent:
no ip gratuitous-arps
show arp
To display the entries in the Address Resolution Protocol (ARP) table, use the show arp command in user EXEC or privileged EXEC mode.
show arp [[vrf vrf-name] [[arp-mode] [[ip-address [mask]] [interface-type interface-number]]]]
[detail]
Syntax Description
Command Modes
User EXEC
Privileged EXEC
Command History
Usage Guidelines
To display all entries in the ARP cache, use this command without any arguments or keywords.
Entry Selection Options
You can to limit the scope of the command output by applying various combinations of the following ARP entry selection criteria:
•Entries under a specific VRF
•Entries in a specific ARP mode
•Entries for a specific host or entries for a specific network
•Entries associated with a specific router interface
Tip The valid interface types and numbers can vary according to the router and the interfaces on the router. To list all the interfaces configured on a particular router, use theshow interfaces command with the summary keyword. Use the appropriate interface specification, typed exactly as it is displayed under the Interface column of the show interfaces command output, to replace the interface-type and interface-number arguments in the show arp command.
Detailed Output Format
To include additional details about each ARP entry displayed, use this command with the detail keyword. When this display option is used, the following additional information is included:
•Mode-specific details (such as entry update time)
•Subblocks (if any)
ARP Adjacency Notification
If Cisco Express Forwarding (CEF) is enabled on the router, the router maintains forwarding information (outbound interface and MAC header rewrite) for adjacent nodes. A node is said to be adjacent to another node if the node can be reached with a single hop across a link layer (Layer 2). CEF stores the forwarding information in an adjacency database so that Layer 2 addressing information can be inserted into link-layer headers attached to the ARP packets.
•To verify that IPv4 CEF is running, use the show ip cef command.
•To verify that an adjacency exists for a connected device, that the adjacency is valid, and that the MAC header rewrite string is correct, use the show adjacency command.
The ARP table information is one of the sources for CEF adjacency. Whenever the ARP subsystem attaches an ARP table entry to an outbound interface with a valid hardware address, the subsystem issues an internal "ARP adjacency" notification. The notification causes an ARP background process to synchronize that ARP entry with CEF adjacency via the adjacency database. If the synchronization succeeds, IP ARP adjacency is said to be "installed"; if the synchronization fails, IP ARP adjacency is said to have been "withdrawn."
Note Attachment to an outbound interface occurs only for ARP entries in the following modes: alias, dynamic, static, Application Simple, and Application Timer.
To display detailed information about any ARP adjacency notification that may have occurred, use the show arp command with the detail keyword. You can use this information to supplement the information available through ARP/CEF adjacency debug trace. To enable debug trace for ARP/CEF adjacency interactions, use the debug arp command with theadjacency keyword.
ARP Cache Administration
To refresh all entries for the specified interface (or all interfaces) or to refresh all entries of the specified address (or all addresses) in the specified VRF table (or in the global VRF table), use the clear arp-cache command.
To enable debugging output for ARP transactions, use the debug arp command.
Examples
The following is sample output from the show arp command with no optional keywords or arguments specified:
Router# show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.0.2.112 120 0000.a710.4baf ARPA Ethernet3
AppleTalk 4028.5 29 0000.0c01.0e56 SNAP Ethernet2
Internet 192.0.2.114 105 0000.a710.859b ARPA Ethernet3
AppleTalk 4028.9 - 0000.0c02.a03c SNAP Ethernet2
Internet 192.0.2.121 42 0000.a710.68cd ARPA Ethernet3
Internet 192.0.2.9 - 0000.3080.6fd4 SNAP TokenRing0
AppleTalk 4036.9 - 0000.3080.6fd4 SNAP TokenRing0
Internet 192.0.2.9 - 0000.0c01.7bbd SNAP Fddi0
Table 8 describes the fields shown in the display.
When this command is used to display dynamic ARP entries, the display information includes the time of the last update and the amount of time before the next scheduled refresh is to occur. The following is sample output from the show arp command for the dynamic ARP entry at network address 192.0.2.1:
Router# show arp 192.0.2.1 detail
ARP entry for 192.0.2.1, link type IP.
Alias, last updated 13323 minutes ago.
Encap type is ARPA, hardware address is 1234.1234.1234, 6 bytes long.
ARP subblocks:
* Static ARP Subblock
Floating entry.
Entry is complete, attached to GigabitEthernet1/1.
* IP ARP Adjacency
Adjacency (for 192.0.2.1 on GigabitEthernet1/1) was installed.
When this command is used to display floating static ARP entries, the display information includes the associated interface, if any.The following is sample output from the show arpcommand for the floating static ARP entry at network address 192.0.2.2 whose intended interface is down:
Router# show arp 192.0.2.2 detail
ARP entry for 192.0.2.2, link type IP.
Alias, last updated 13327 minutes ago.
Encap type is ARPA, hardware address is 1234.1234.1234, 6 bytes long.
ARP subblocks:
* Static ARP Subblock
Floating entry.
Entry is incomplete.
* IP ARP Adjacency
Adjacency (for 192.0.2.2 on GigabitEthernet1/1) was withdrawn.
The following is sample detailed output from the show arp command for the Application Alias ARP entry at network address 192.0.2.3:
Router# show arp 192.0.2.3 detail
ARP entry for 192.0.2.3, link type IP.
Application Alias, via Ethernet2/2, last updated 0 minute ago.
Created by "HSRP".
Encap type is ARPA, hardware address is 0000.0c07.ac02, 6 bytes long.
ARP subblocks:
* Application Alias ARP Subblock
* HSRP
ARP Application entry for application HSRP.
The following is sample detailed output from the show arp command for all dynamic ARP entries:
Router# show arp dynamic detail
ARP entry for 192.0.2.4, link type IP.
Dynamic, via Ethernet2/1, last updated 0 minute ago.
Encap type is ARPA, hardware address is 0000.0000.0014, 6 bytes long.
ARP subblocks:
* Dynamic ARP Subblock
Entry will be refreshed in 0 minute and 1 second.
It has 1 chance to be refreshed before it is purged.
Entry is complete.
* IP ARP Adjacency
Adjacency (for 192.0.2.4 on Ethernet2/1) was installed.
Related Commands
show arp application
To display Address Resolution Protocol (ARP) table information for a specific ARP application or for all applications supported by ARP and running on registered clients, use the show arp application command in user EXEC or privileged EXEC mode.
show arp application [application-id] [detail]
Syntax Description
Command Modes
User EXEC
Privileged EXEC
Command History
Usage Guidelines
To display ARP table information about all supported ARP applications running on registered clients, use this command without any arguments or keywords.
Entry Selection Options
To display ARP table information about a single ARP application running on a registered client, use this command with the application-ID argument.
Detailed Output Format
To display the specified ARP table information along with detailed information about any subblocks, use this command with the detail keyword. The additional details consist of the following information:
•IP address or network
•ARP table entry type (dynamic, interface, static, or alias) or ARP application mode (Simple Application or Application Alias)
•Associated interface
•Brief description of the subblock data
Examples
The following is sample output from the show arp application command:
Router# show arp application
Number of clients registered: 7
Application ID Num of Subblocks
ARP Backup 200 1
IP SIP 201 0
LEC 202 0
DHCPD 203 0
IP Mobility 204 0
HSRP 209 1
IP ARP Adjacency 212 2
The following is sample detailed output from the show arp application detail command:
Router# show arp application detail
Number of clients registered: 7
Application ID Num of Subblocks
ARP Backup 200 1
ARP entry for 192.0.2.10, link type IP.
Application Alias, via Ethernet2/2.
Subblock data:
Backup for Interface on Ethernet2/2
Application ID Num of Subblocks
IP SIP 201 0
Application ID Num of Subblocks
LEC 202 0
Application ID Num of Subblocks
DHCPD 203 0
Application ID Num of Subblocks
IP Mobility 204 0
Application ID Num of Subblocks
HSRP 209 1
ARP entry for 192.0.2.10, link type IP.
Application Alias, via Ethernet2/2.
Subblock data:
ARP Application entry for application HSRP.
Application ID Num of Subblocks
IP ARP Adjacency 212 2
ARP entry for 192.0.2.4, link type IP.
Dynamic, via Ethernet2/1.
Subblock data:
Adjacency (for 192.0.2.4 on Ethernet2/1) was installed.
ARP entry for 192.0.2.2, link type IP.
Dynamic, via Ethernet2/1.
Subblock data:
Adjacency (for 192.0.2.2 on Ethernet2/1) was installed.
Table 9 describes the significant fields shown in the display.
Field | Description |
|---|---|
Application | ARP application name |
ID | ARP application ID number |
Num of Subblocks | Number of subblocks attached |
Related Commands
show arp ha
To display the status and statistics of Address Resolution Protocol (ARP) high availability (HA), use the show arp ha command in user EXEC or privileged EXEC mode.
show arp ha
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC
Privileged EXEC
Command History
Usage Guidelines
Use this command to display the ARP HA status and statistics.
HA-Capable Platforms
This command is available only on HA-capable platforms (that is, Cisco networking devices that support dual Route Processors [RPs]).
ARP HA Statistics
The ARP HA process collects one set of statistics for the active RP (described in Table 10) and a different set of statistics for the standby RP (described in Table 11). These statistics can be used to track the RP state transitions when debugging ARP HA issues.
The output from this command depends on the current and most recent states of the RP:
•For the active RP that has been the active RP since the last time the router was rebooted, this command displays the HA statistics for the active RP.
•For the active RP that had been a standby RP and became the active RP after the most recent stateful switchover (SSO) occurred, this command displays the HA statistics for the active RP plus the HA statistics collected when the RP was a standby RP.
•For a standby RP, this command displays the HA statistics for a standby RP.
Examples
The following is sample output from the show arp ha command on the active RP that has been the active RP since the last time the router was rebooted. ARP HA statistics are displayed for the active state only.
Router# show arp ha
ARP HA in active state (ARP_HA_ST_A_UP_SYNC).
2 ARP entries in the synchronization queue.
No ARP entry waiting to be synchronized.
806 synchronization packets sent.
No error in allocating synchronization packets.
No error in sending synchronization packets.
No error in encoding interface names.
The following is sample output from the show arp ha command on the active RP that had been a standby RP and became the active RP after the most recent stateful switchover (SSO) occurred. ARP HA statistics are displayed for the active state and also for the previous standby state.
Router# show arp ha
ARP HA in active state (ARP_HA_ST_A_UP).
1 ARP entry in the synchronization queue.
1 ARP entry waiting to be synchronized.
No synchronization packet sent.
No error in allocating synchronization packets.
No error in sending synchronization packets.
No error in encoding interface names.
Statistics collected when ARP HA in standby state:
No ARP entry in the backup table.
808 synchronization packets processed.
No synchronization packet dropped in invalid state.
No error in decoding interface names.
2 ARP entries restored before timer.
No ARP entry restored on timer.
No ARP entry purged since interface is down.
No ARP entry purged on timer.
The following is sample output from the show arp ha command on the standby RP. ARP HA statistics are displayed for the standby state only.
Router# show arp ha
ARP HA in standby state (ARP_HA_ST_S_UP).
2 ARP entries in the backup table.
806 synchronization packets processed.
No synchronization packet dropped in invalid state.
No error in decoding interface names.
Table 10 describes the significant fields shown in the display collected for an active RP.
Table 11 describes the significant fields shown in the display collected for a standby RP or for an active RP that was previously in the active state.
Related Commands
show arp summary
To display the total number of Address Resolution Protocol (ARP) table entries, the number of ARP table entries for each ARP entry mode, and the number of ARP table entries for each interface on the router, use the show arp summary command in user EXEC or privileged EXEC mode.
show arp summary
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC
Privileged EXEC
Command History
Usage Guidelines
Use this command to display high-level statistics about the ARP table entries:
•Total number of ARP table entries
•Number of ARP table entries for each ARP mode
•Number of ARP table entries for each router interface
A maximum limit for learned ARP entries can be configured on the Cisco 7600 platform in Cisco IOS Release 12.2(33)SRD3. This is subject to memory constraints. The 7600 can support a maximum limit of 256,000 learned ARP entries, and if a memory card is installed on the router the maximum limit is extended to 512,000.
Examples
The following is sample output from the show arp summary command:
Note In this example the maximum limit for the number of learned ARP entries has not been configured.
Router# show arp summary
Total number of entries in the ARP table: 10.
Total number of Dynamic ARP entries: 4.
Total number of Incomplete ARP entries: 0.
Total number of Interface ARP entries: 4.
Total number of Static ARP entries: 2.
Total number of Alias ARP entries: 0.
Total number of Simple Application ARP entries: 0.
Total number of Application Alias ARP entries: 0.
Total number of Application Timer ARP entries: 0.
Interface Entry Count
Ethernet3/2 1
The following is sample output from the show arp summary command on a Cisco 7600 router for Cisco IOS Release 12.2(33)SRD3, after a maximum limit is set for the number of learned ARP entries:
Router> enable
Router# configure terminal
Router(config)# ip arp entry learn 512000
Router(config)# exit
Router# show arp summary
Total number of entries in the ARP table: 4.
Total number of Dynamic ARP entries: 0.
Total number of Incomplete ARP entries: 0.
Total number of Interface ARP entries: 3.
Total number of Static ARP entries: 1.
Total number of Alias ARP entries: 0.
Total number of Simple Application ARP entries: 0.
Total number of Application Alias ARP entries: 0.
Total number of Application Timer ARP entries: 0.
Maximum limit of Learn ARP entry : 512000.
Maximum configured Learn ARP entry limit : 512000.
Learn ARP Entry Threshold is 409600 and Permit Threshold is 486400.
Total number of Learn ARP entries: 0.
Interface Entry Count
GigabitEthernet4/7 1
GigabitEthernet4/1.1 1
GigabitEthernet4/1 1
EOBC0/0
Table 12describes the fields shown in the display.
Related Commands
show ip arp
To display the Address Resolution Protocol (ARP) cache, where Serial Line Internet Protocol (SLIP) addresses appear as permanent ARP table entries, use the show ip arp EXEC command.
show ip arp [ip-address] [host-name] [mac-address] [interface type number]
Syntax Description
Command Modes
EXEC
Command History
Release | Modification |
|---|---|
9.0 | This command was introduced. |
12.2(33)SRA | This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
ARP establishes correspondences between network addresses (an IP address, for example) and LAN hardware addresses (Ethernet addresses). A record of each correspondence is kept in a cache for a predetermined amount of time and then discarded.
Examples
The following is sample output from the show ip arp command:
Router# show ip arp
Protocol Address Age(min) Hardware Addr Type Interface
Internet 172.16.233.229 - 0000.0c59.f892 ARPA Ethernet0/0
Internet 172.16.233.218 - 0000.0c07.ac00 ARPA Ethernet0/0
Internet 172.16.233.19 - 0000.0c63.1300 ARPA Ethernet0/0
Internet 172.16.233.309 - 0000.0c36.6965 ARPA Ethernet0/0
Internet 172.16.168.11 - 0000.0c63.1300 ARPA Ethernet0/0
Internet 172.16.168.254 9 0000.0c36.6965 ARPA Ethernet0/0
Table 13 describes the significant fields shown in the display.
show ip arp inspection
To display the status of DAI for a specific range of VLANs, use the show ip arp inspection command in privileged EXEC mode.
show ip arp inspection [ interfaces [interface-name] | statistics [vlan vlan-range] ]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
Release | Modification |
|---|---|
12.2(18)SXE | Support for this command was introduced on the Supervisor Engine 720. |
12.2(33)SRA | This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
If you do not enter the statistics keyword, the configuration and operating state of DAI for the selected range of VLANs is displayed.
If you do not specify the interface name, the trust state and rate limit for all applicable interfaces in the system are displayed.
Examples
This example shows how to display the statistics of packets that have been processed by DAI for
VLAN 3:
Router# show ip arp inspection statistics vlan 3
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ----------
3 31753 102407 102407 0
Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- -------------------
3 31753 0 0
Vlan Dest MAC Failures IP Validation Failures
---- ----------------- ----------------------
3 0 0
This example shows how to display the statistics of packets that have been processed by DAI for all active VLANs:
Router# show ip arp inspection statistics
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ----------
1 0 0 0 0
2 0 0 0 0
3 68322 220356 220356 0
4 0 0 0 0
100 0 0 0 0
101 0 0 0 0
1006 0 0 0 0
1007 0 0 0 0
Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- -------------------
1 0 0 0
2 0 0 0
3 68322 0 0
4 0 0 0
100 0 0 0
101 0 0 0
1006 0 0 0
1007 0 0 0
Vlan Dest MAC Failures IP Validation Failures
---- ----------------- ----------------------
1 0 0
2 0 0
3 0 0
4 0 0
100 0 0
101 0 0
1006 0 0
1007 0 0
This example shows how to display the configuration and operating state of DAI for VLAN 1:
Router# show ip arp inspection vlan 1
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
1 Enabled Active
Vlan ACL Logging DHCP Logging
---- ----------- ------------
1 Deny Deny
This example shows how to display the trust state of Fast Ethernet interface 6/3:
Router# show ip arp inspection interfaces fastEthernet 6/3
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Fa6/1 Untrusted 20 5
This example shows how to display the trust state of the interfaces on the switch:
Router# show ip arp inspection interfaces
Interface Trust State Rate (pps)
--------------- ----------- ----------
Gi1/1 Untrusted 15
Gi1/2 Untrusted 15
Gi3/1 Untrusted 15
Gi3/2 Untrusted 15
Fa3/3 Trusted None
Fa3/4 Untrusted 15
Fa3/5 Untrusted 15
Fa3/6 Untrusted 15
Fa3/7 Untrusted 15
Related Commands
show ip arp inspection log
To show the status of the log buffer, use the show ip arp inspection log command in privileged EXEC mode.
show ip arp inspection log
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
Release | Modification |
|---|---|
12.2(18)SXE | Support for this command was introduced on the Supervisor Engine 720. |
12.2(33)SRA | This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Examples
This example shows how to display the current contents of the log buffer before and after the buffers are cleared:
Router# show ip arp inspection log
Total Log Buffer Size : 10
Syslog rate : 0 entries per 10 seconds.
Interface Vlan Sender MAC Sender IP Num of Pkts
--------------- ----- ----------------- --------------- -----------
Fa6/3 1 0002.0002.0002 10.1.1.2 1(12:02:52 UTC Fri Apr 25 2003)
Fa6/3 1 0002.0002.0002 10.1.1.3 1(12:02:52 UTC Fri Apr 25 2003)
Fa6/3 1 0002.0002.0002 10.1.1.4 1(12:02:52 UTC Fri Apr 25 2003)
Fa6/3 1 0002.0002.0002 10.1.1.5 1(12:02:52 UTC Fri Apr 25 2003)
Fa6/3 1 0002.0002.0002 10.1.1.6 1(12:02:52 UTC Fri Apr 25 2003)
Fa6/3 1 0002.0002.0002 10.1.1.7 1(12:02:52 UTC Fri Apr 25 2003)
Fa6/3 1 0002.0002.0002 10.1.1.8 1(12:02:52 UTC Fri Apr 25 2003)
Fa6/3 1 0002.0002.0002 10.1.1.9 1(12:02:52 UTC Fri Apr 25 2003)
Fa6/3 1 0002.0002.0002 10.1.1.10 1(12:02:52 UTC Fri Apr 25 2003)
Fa6/3 1 0002.0002.0002 10.1.1.11 1(12:02:52 UTC Fri Apr 25 2003)
-- -- -- -- 5(12:02:52 UTC Fri Apr 25 2003)
This example shows how to clear the buffer with the clear ip arp inspection log command:
Router# clear ip arp inspection log
Router# show ip arp inspection log
Total Log Buffer Size : 10
Syslog rate : 0 entries per 10 seconds.
No entries in log buffer.
Related Commands
Command | Description |
|---|---|
clear ip arp inspection log | Clear the status of the log buffer. |
show ip arp inspection log | Shows the status of the log buffer. |
update arp
To secure dynamic Address Resolution Protocol (ARP) entries in the ARP table to their corresponding DHCP bindings, use the update arp command in DHCP pool configuration mode. To disable this command and change secure ARP entries to dynamic ARP entries, use the no form of this command.
update arp
no update arp
Syntax Description
This command has no keywords or arguments.
Defaults
No default behavior or values.
Command Modes
DHCP pool configuration
Command History
Release | Modification |
|---|---|
12.2(15)T | This command was introduced. |
12.2(33)SRC | This command was integrated into Cisco IOS Release 12.2(33)SRC. |
Usage Guidelines
The update arp DHCP pool configuration command is used to secure ARP table entries and their corresponding DHCP leases. However, existing active leases are not secured. These leases will remain insecure until they are renewed. When the lease is renewed, it is treated as a new lease and will be secured automatically. If this feature is disabled on the DHCP server, all existing secured ARP table entries will automatically change to dynamic ARP entries.
This command can be configured only under the following conditions:
•DHCP network pools in which bindings are created automatically and destroyed upon lease termination or when the client sends a DHCPRELEASE message.
•Directly connected clients on LAN interfaces and wireless LAN interfaces.
The configuration of this command is not visible to the client. When this command is configured, secured ARP table entries that are created by a DHCP server cannot be removed from the ARP table by the clear arp-cache command. This is designed behavior. If a secure ARP entry created by the DHCP server must be removed, the clear ip dhcp binding command can be used. This command will clear the DHCP binding and secured ARP table entry.
Note This command does not secure ARP table entries for BOOTP clients.
Examples
The following example configures the Cisco IOS DHCP server to secure ARP table entries to their corresponding DHCP leases within the DHCP pool named WIRELESS-POOL:
ip dhcp pool WIRELESS-POOL
update arp
Related Commands
'개발이야기' 카테고리의 다른 글
| Tv, Radio, Light(전등)를 조작할 수 있는 만능리모콘을 만드시오. (0) | 2013.01.04 |
|---|---|
| 웹 해킹 서버 분석과 웹쉘 대응방법 (0) | 2012.12.26 |
| ARP 스푸핑(ARP Spoofing) 감지를 위한 arpwatch (0) | 2012.12.26 |
| ARP 개념 정리 (0) | 2012.12.26 |
| [Apache HTTPD] Log rotation(logrotate) - 시간당 로그 쌓기 (0) | 2012.12.04 |