Cisco Systems 3130 Dynamic ARP Inspection Configuration Guidelines

22-6

Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide

OL-13270-01

Chapter22 Configuring Dynamic ARP Inspection

Configuring Dynamic ARP Inspection

Dynamic ARP Inspection Configuration Guidelines

These are the dynamic ARP inspection configuration guidelines:

•Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking.

•Dynamic ARP inspection is not effective for hosts connected to switches tha t d o n ot su ppo rt

dynamic ARP inspection or that do not have this feature enabled. Be cau se man- in -the -mi ddle

attacks are limited to a single Layer 2 broadcast domain, separate the domain with dynamic ARP

inspection checks from the one with no checking. This action secures the ARP caches of hosts in the

domain enabled for dynamic ARP inspection.

•Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify

IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enab le

DHCP snooping to permit ARP packets that have dynamically assigned IP addre sses. For

configuration information, see Chapter2 1, “Configuring DHCP Fea tures and IP Sourc e Guard.”

When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to perm it or t o

deny packets.

•Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private

VLAN ports.

•A physical port can join an EtherChannel port channel only when the trust state of the physical port

and the channel port match. Otherwise, the physical port remains suspended in t he p ort ch an nel. A

port channel inherits its trust state from the first physical port that joins the channel. Consequently,

the trust state of the first physical port need not match the trust state of the channel.

Conversely, when you change the trust state on the port channel, the switch configures a new trust

state on all the physical ports that comprise the channel.

•The rate limit is calculated separately on each switch in a switch stack. For a cross-stack

EtherChannel, this means that the actual rate limit might be higher than the configured value. For

example, if you set the rate limit to 30 pps on an EtherChannel t hat has one port on switch 1 and one

port on switch 2, each port can receive packets at 29 pps withou t c aus ing the Et her Cha nnel to

become error-disabled.

Log buffer When dynamic ARP inspection is enabled, all denied or

dropped ARP packets are logged.

The number of entries in the log is 32.

The number of system messages is limited to 5 per

second.

The logging-rate interval is 1 second.

Per-VLAN logging All denied or dropped ARP packets are logged.

Table22-1 Default Dynamic ARP Inspection Configuration (continued)

Feature Default Setting