ols-556-sprint8-arp-inspect-schema-draft

2025-10-29 17:22:23 +00:00 · 2025-01-22 14:48:04 +00:00
parent adeeb0457b
commit 59ad89be0f
4 changed files with 80 additions and 2 deletions
--- a/schema/ethernet.yml
+++ b/schema/ethernet.yml
@@ -367,4 +367,18 @@ properties:
      lldp-notification:
        type: boolean
        description: Enables the transmission of SNMP trap notifications about LLDP changes.
-        default: false
+        default: false
+  ip-arp-inspect-intf-config:
+    type: object
+    description: "Configuration for ARP Inspection on specific interfaces or ports in the switch."
+    properties:
+      ip-arp-inspect-rate-limit:
+        type: integer
+        description: Sets a rate limit (packets per second) for the ARP packets received on a port. 
+          Ensures that the port does not process ARP packets beyond the configured limit.
+        minimum: 0
+        maximum: 65535
+      ip-arp-inspect-trust:
+        type: boolean
+        description: Configures the port as trusted, exempting it from ARP Inspection. 
+          Trusted ports bypass ARP validation checks.
--- a/schema/interface.ipv4.yml
+++ b/schema/interface.ipv4.yml
@@ -200,6 +200,22 @@ properties:
    description: "Enables DHCP Snooping on a VLAN"
    type: boolean
    default: false
+  ip-arp-inspect-vlan-config:
+    type: object
+    description: "Configuration for ARP Inspection on specific VLANs in the switch."
+    properties:
+      ip-arp-inspect-vlan-enable:
+        type: boolean
+        description: "Enable or disable ARP Inspection for a specified VLAN."
+      ip-arp-inspect-vlan-acl-rule:
+        type: string
+        description: "Specifies an ARP ACL to apply to one or more VLANs."
+        maxLength: 32
+        minLength: 1
+      ip-arp-inspect-vlan-acl-nodhcp-bindings:
+        type: boolean
+        description: Validate ARP packets against only the specified ACL without checking 
+          address bindings in the DHCP snooping database.
  voice-vlan-intf-config:
    description: "Configure the Voice VLAN feature at the interface level, allowing for VoIP traffic to be prioritized on this specific port."
    type: object
--- a/schema/switch.yml
+++ b/schema/switch.yml
@@ -706,4 +706,23 @@ properties:
              maxLength: 32
              minLength: 1
              examples:
-                - "A VoIP Phone"
+                - "A VoIP Phone"
+  arp-inspect-config:
+    type: object
+    description: Global configuration for ARP Inspection on the switch.
+    properties:
+      ip-arp-inspect:
+        type: boolean
+        description: Enable or disable ARP Inspection globally.
+      ip-arp-inspect-validate-dst-mac:
+        type: boolean
+        description: Validate that the destination MAC address in the Ethernet header matches the target MAC address in the ARP body for ARP responses.
+      ip-arp-inspect-validate-ip:
+        type: boolean
+        description: Validate ARP packets for unexpected or invalid IP addresses, such as 0.0.0.0, 255.255.255.255, and IP multicast addresses.
+      ip-arp-inspect-validate-allow-zeros:
+        type: boolean
+        description: Allow ARP packets where the sender IP address is 0.0.0.0.
+      ip-arp-inspect-validate-src-mac:
+        type: boolean
+        description: Validate that the source MAC address in the Ethernet header matches the sender MAC address in the ARP body for both ARP requests and responses.
--- a/state/state.yml
+++ b/state/state.yml
@@ -60,3 +60,32 @@ properties:
    type: string
    description:
      Current interface that serves as the Uplink. Example Ethernet2.
+  arp-inspect-stats:
+    type: object
+    description: "Statistics related to ARP Inspection activity in the switch."
+    properties:
+      arp-pkt-rcvd:
+        type: integer
+        description: "Total number of ARP packets received."
+      arp-pkt-dropped-rate-limit:
+        type: integer
+        description: "Number of ARP packets dropped due to rate limiting."
+      arp-pkt-processed:
+        type: integer
+        description: "Total number of ARP packets processed by ARP Inspection.
+      arp-pkt-dropped-src-mac:
+        type: integer
+        description: "Number of ARP packets dropped due to source MAC address validation failures."
+      arp-pkt-dropped-dst-mac:
+        type: integer
+        description: "Number of ARP packets dropped due to destination MAC address validation failures."
+      arp-pkt-dropped-ip:
+        type: integer
+        description: "Number of ARP packets dropped due to IP address validation failures."
+      arp-pkt-dropped-acl:
+        type: integer
+        description: "Number of ARP packets dropped due to ARP ACL rules."
+      arp-pkt-dropped-dhcp:
+        type: integer
+        description: "Number of ARP packets dropped due to DHCP snooping validation failures."
+