22-10
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
OL-26520-01
Chapter 22 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP
ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global
configuration command.
Step 5
ip arp inspection filter arp-acl-name vlan
vlan-range [static]
Apply the ARP ACL to the VLAN. By default, no defined ARP
ACLs are applied to any VLAN.
• For arp-acl-name, specify the name of the ACL created in
Step 2.
• For vlan-range, specify the VLAN that the switches and
hosts are in. You can specify a single VLAN identified by
VLAN ID number, a range of VLANs separated by a
hyphen, or a series of VLANs separated by a comma. The
range is 1 to 4094.
• (Optional) Specify static to treat implicit denies in the ARP
ACL as explicit denies and to drop packets that do not
match any previous clauses in the ACL. DHCP bindings are
not used.
If you do not specify this keyword, it means that there is no
explicit deny in the ACL that denies the packet, and DHCP
bindings determine whether a packet is permitted or denied
if the packet does not match any clauses in the ACL.
ARP packets containing only IP-to-MAC address bindings are
compared against the ACL. Packets are permitted only if the
access list permits them.
Step 6
interface interface-id Specify the Switch A interface that is connected to Switch B,
and enter interface configuration mode.
Step 7
no ip arp inspection trust Configure the Switch A interface that is connected to Switch B
as untrusted.
By default, all interfaces are untrusted.
For untrusted interfaces, the switch intercepts all ARP requests
and responses. It verifies that the intercepted packets have valid
IP-to-MAC address bindings before updating the local cache
and before forwarding the packet to the appropriate destination.
The switch drops invalid packets and logs them in the log buffer
according to the logging configuration specified with the ip arp
inspection vlan logging global configuration command. For
more information, see the “Configuring the Log Buffer” section
on page 22-13.
Step 8
end Return to privileged EXEC mode.
Step 9
show arp access-list [acl-name]
show ip arp inspection vlan vlan-range
show ip arp inspection interfaces
Verify your entries.
Step 10
copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose
To Next Page
Loading...
Need help?
General
