22-3
Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide
OL-13270-01
Chapter22 Configuring Dynamic A RP In spection Understanding Dynamic ARP Inspection
You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets
are invalid or when the MAC addresses in the body of the ARP packets do not match the a ddr esses
specified in the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global
configuration command. For more information, see the “Perfo rmin g Validation Checks” section on
page 22-12.
Interface Trust States and Network Security
Dynamic ARP inspection associates a trust state with each interface on the switch. Packets arriving on
trusted interfaces bypass all dynamic ARP inspection validation checks, and those arriving on untrusted
interfaces undergo the dynamic ARP inspection validation process.
In a typical network configuration, you configure all switch ports conne cte d t o h ost p orts as un truste d
and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets
entering the network from a given switch bypass the security check. N o other validation is needed at any
other place in the VLAN or in the network. You configure the trust setting by using the ip arp inspection
trust interface configuration command.
Caution Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be
trusted can result in a loss of connectivity.
In Figure 22-2, assume that both Switch A and Switch B are running dynamic ARP inspection on the
VLAN that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP
server connected to Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the
interface between Switch A and Switch B is untrusted, the ARP packets from Host 1 ar e dro pped by
Switch B. Connectivity between Host 1 and Host 2 is lost.
Figure22-2 ARP Packet Validation on a VLAN Enabled for Dynamic ARP Inspection
Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the
network. If Switch A is not running dynamic ARP inspection, Host 1 ca n ea sily poi son the ARP cac he
of Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can
occur even though Switch B is running dynamic ARP inspection.
D
HCP server
Switch A Switch B
Host 1 Host 2
Port 1 Port 3
111751