21-9
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 21 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
Configuring ARP ACLs for Non-DHCP Environments
This procedure shows how to configure dynamic ARP inspection when Switch B shown in Figure 21-2
on page 21-3 does not support dynamic ARP inspection or DHCP snooping.
If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and
Host 1 could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure
port 1 on Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and
apply it to VLAN 1. If the IP address of Host 2 is not static (it is impossible to apply the ACL
configuration on Switch A) you must separate Switch A from Swit ch B at Layer 3 and use a router to
route packets between them.
Beginning in privileged EXEC mode, follow these steps to configure an ARP ACL on Switch A. This
procedure is required in non-DHCP environments.
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 arp access-list acl-name Define an ARP ACL, and enter ARP access-list configuration
mode. By default, no ARP access lists are defined.
Note At the end of the ARP access list, there is an implicit
deny ip any mac any command.
Step 3 permit ip host sender-ip mac host sender-mac
[log]
Permit ARP packets from the specified host (Host 2).
For sender-ip, enter the IP address of Host 2.
For sender-mac, enter the MAC address of Host 2.
(Optional) Specify log to log a packet in the log buffer when
it matches the access control entry (ACE). Matches are
logged if you also configure the matchlog keyword in the
ip arp inspection vlan logging global configuration
command. For more information, see the “Configuring the
Log Buffer” section on page 21-13.
Step 4 exit Return to global configuration mode.