22-9
Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide
OL-13270-01
Chapter22 Configuring Dynamic A RP In spection Configuring Dynamic ARP Inspection
If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and
Host 1 could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure
port 1 on Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and
apply it to VLAN 1. If the IP address of Host 2 is not static (it is impossible to apply the ACL
configuration on Switch A) you must separate Switch A from Swit ch B at La yer 3 an d u se a ro ut er t o
route packets between them.
Beginning in privileged EXEC mode, follow these steps to configure an ARP ACL on Switch A. This
procedure is required in non-DHCP environments.
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 arp access-list acl-name Define an ARP ACL, and enter ARP access-list
configuration mode. By default, no ARP access lists
are defined.
Note At the end of the ARP access list, there is an
implicit deny ip any mac any command.
Step3 permit ip host sender-ip mac host sender-mac [log] Permit ARP packets from the specified host (Host 2).
For sender-ip, enter the IP address of Host 2.
For sender-mac, enter the MAC address of
Host 2.
(Optional) Specify log to log a packet in the log
buffer when it matches the access control entry
(ACE). Matches are logged if you also configure
the matchlog keyword in the ip arp inspection
vlan logging global configuration command. For
more information, see the “Configuring the Log
Buffer” section on page 22-13.
Step4 exit Return to global configuration mode.