26-8
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 26 Configuring Dynamic ARP Inspection
How to Configure Dynamic ARP Inspection
Step 3 permit ip host sender-ip mac host sender-mac
[log]
Permits ARP packets from the specified host (Host 2).
sender-ip—Enters the IP address of Host 2.
sender-mac—Enters the MAC address of Host 2.
(Optional) log—Logs a packet in the log buffer when it
matches the access control entry (ACE). Matches are
logged if you also configure the matchlog keyword in the
ip arp inspection vlan logging global configuration
command. For more information, see the “Configuring the
Log Buffer” section on page 26-11.
Step 4 exit Returns to global configuration mode.
Step 5 ip arp inspection filter arp-acl-name vlan
vlan-range [static]
Applies the ARP ACL to the VLAN. By default, no defined
ARP ACLs are applied to any VLAN.
arp-acl-name—Specifies the name of the ACL created in
Step 2.
vlan-range—Specifies the VLAN that the switches and
hosts are in. You can specify a single VLAN identified by
VLAN ID number, a range of VLANs separated by a
hyphen, or a series of VLANs separated by a comma. The
range is 1 to 4096.
(Optional) static—Specifies to treat implicit denies in the
ARP ACL as explicit denies and to drop packets that do not
match any previous clauses in the ACL. DHCP bindings are
not used.
If you do not specify this keyword, it means that there is no
explicit deny in the ACL that denies the packet, and DHCP
bindings determine whether a packet is permitted or denied
if the packet does not match any clauses in the ACL.
ARP packets containing only IP-to-MAC address bindings are
compared against the ACL. Packets are permitted only if the
access list permits them.
Step 6 interface interface-id Specifies the Switch A interface that is connected to Switch B,
and enters interface configuration mode.
Step 7 no ip arp inspection trust Configures the Switch A interface that is connected to Switch B
as untrusted.
By default, all interfaces are untrusted.
For untrusted interfaces, the switch intercepts all ARP requests
and responses. It verifies that the intercepted packets have valid
IP-to-MAC address bindings before updating the local cache
and before forwarding the packet to the appropriate destination.
The switch drops invalid packets and logs them in the log buffer
according to the logging configuration specified with the ip arp
inspection vlan logging global configuration command.
Step 8 end Returns to privileged EXEC mode.
Command Purpose