Chapter 23 Configuring Dynamic ARP Inspection

Configuring Dynamic ARP Inspection

Beginning in privileged EXEC mode, follow these steps to configure an ARP ACL on Switch A. This procedure is required in non-DHCP environments.

 

 

Command

Purpose

 

Step 1

 

 

 

configure terminal

Enter global configuration mode.

 

Step 2

 

 

 

arp access-list acl-name

Define an ARP ACL, and enter ARP access-list

 

 

 

configuration mode. By default, no ARP access lists

 

 

 

are defined.

 

 

 

Note At the end of the ARP access list, there is an

 

 

 

implicit deny ip any mac any command.

 

Step 3

 

 

 

permit ip host sender-ipmac host sender-mac[log]

Permit ARP packets from the specified host (Host 2).

 

 

 

For sender-ip, enter the IP address of Host 2.

 

 

 

For sender-mac, enter the MAC address of

 

 

 

Host 2.

 

 

 

(Optional) Specify log to log a packet in the log

 

 

 

buffer when it matches the access control entry

 

 

 

(ACE). Matches are logged if you also configure

 

 

 

the matchlog keyword in the ip arp inspection

 

 

 

vlan logging global configuration command. For

 

 

 

more information, see the “Configuring the Log

 

 

 

Buffer” section on page 23-12.

 

Step 4

 

 

 

exit

Return to global configuration mode.

 

 

 

 

 

Step 5 ip arp inspection filter arp-acl-namevlan vlan-range

Apply the ARP ACL to the VLAN. By default, no

 

 

[static]

defined ARP ACLs are applied to any VLAN.

 

 

 

For arp-acl-name, specify the name of the ACL

 

 

 

created in Step 2.

 

 

 

For vlan-range, specify the VLAN that the

 

 

 

switches and hosts are in. You can specify a

 

 

 

single VLAN identified by VLAN ID number, a

 

 

 

range of VLANs separated by a hyphen, or a

 

 

 

series of VLANs separated by a comma. The

 

 

 

range is 1 to 4094.

 

 

 

(Optional) Specify static to treat implicit denies

 

 

 

in the ARP ACL as explicit denies and to drop

 

 

 

packets that do not match any previous clauses in

 

 

 

the ACL. DHCP bindings are not used.

 

 

 

If you do not specify this keyword, it means that

 

 

 

there is no explicit deny in the ACL that denies

 

 

 

the packet, and DHCP bindings determine

 

 

 

whether a packet is permitted or denied if the

 

 

 

packet does not match any clauses in the ACL.

 

 

 

ARP packets containing only IP-to-MAC address

 

 

 

bindings are compared against the ACL. Packets are

 

 

 

permitted only if the access list permits them.

 

Step 6

 

 

 

interface interface-id

Specify the Switch A interface that is connected to

 

 

 

Switch B, and enter interface configuration mode.

 

 

 

 

 

 

 

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

OL-9775-02

 

 

23-9

 

 

 

 

 

Page 547
Image 547
Cisco Systems 3750E manual 23-9