23-9
Catalyst 3750 SwitchSoftware Configuration Guide
OL-8550-09
Chapter23 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
Configuring ARP ACLs for Non-DHCP Environments
This procedure shows how to configure dynamic ARP inspection when Switch B shown in Figure23-2
on page 23-3 does not support dynamic ARP inspection or DHCP snooping.
If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and
Host 1 could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure
port 1 on Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and
apply it to VLAN 1. If the IP address of Host 2 is not static (it is impossible to apply the ACL
configuration on Switch A) you must separate Switch A from Switch B at Layer 3 and use a router to
route packets between them.
Beginning in privileged EXEC mode, follow these steps to configure an ARP ACL on Switch A. This
procedure is required in non-DHCP environments.
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 arp access-list acl-name Define an ARP ACL, and enter ARP access-list configuration
mode. By default, no ARP access lists are defined.
Note At the end of the ARP access list, there is an implicit
deny ip any mac any command.
Step3 permit ip host sender-ip mac host sender-mac
[log]
Permit ARP packets from the specified host (Host 2).
For sender-ip, enter the IP address of Host 2.
For sender-mac, enter the MAC address of Host 2.
(Optional) Specify log to log a packet in the log buffer when
it matches the access control entry (ACE). Matches are
logged if you also configure the matchlog keyword in the
ip arp inspection vlan logging global configuration
command. For more information, see the “Configuring the
Log Buffer” section on page23-13.
Step4 exit Return to global configuration mode.