Name: Cisco Catalyst 3560-X
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

1-10

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-25303-03

Chapter 1 Configuring Dynamic ARP Inspection

Configuring Dynamic ARP Inspection

To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP

ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global

configuration command.

This example shows how to configure an ARP ACL called host2 on Switch A, to permit ARP packets

from Host 2 (IP address 1.1.1.1 and MAC address 0001.0001.0001), to apply the ACL to VLAN 1, and

to configure port 1 on Switch A as untrusted:

Switch(config)# arp access-list host2

Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host 1.1.1

Switch(config-arp-acl)# exit

Switch(config)# ip arp inspection filter host2 vlan 1

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# no ip arp inspection trust

Limiting the Rate of Incoming ARP Packets

The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of

incoming ARP packets is rate-limited to prevent a denial-of-service attack.

When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the

error-disabled state. The port remains in that state until you enable error-disabled recovery so that ports

automatically emerge from this state after a specified timeout period.

Step 6

ip arp inspection smartlog Specify that whatever packets are currently being logged are also

smart-logged. By default, all dropped packets are logged.

Step 7

interface interface-id Specify the Switch A interface that is connected to Switch B, and enter

interface configuration mode.

Step 8

no ip arp inspection trust Configure the Switch A interface that is connected to Switch B as

untrusted.

By default, all interfaces are untrusted.

For untrusted interfaces, the switch intercepts all ARP requests and

responses. It verifies that the intercepted packets have valid IP-to-MAC

address bindings before updating the local cache and before forwarding

the packet to the appropriate destination. The switch drops invalid

packets and logs them in the log buffer according to the logging

configuration specified with the ip arp inspection vlan logging global

configuration command. For more information, see the “Configuring

the Log Buffer” section on page 1-13.

Step 9

end Return to privileged EXEC mode.

Step 10

show arp access-list [acl-name]

show ip arp inspection vlan vlan-range

show ip arp inspection interfaces

Verify your entries.

Step 11

copy running-config startup-config (Optional) Save your entries in the configuration file.

Command Purpose

Questions and Answers:

Need help?

Do you have a question about the Cisco Catalyst 3560-X and is the answer not in the manual?

Cisco Catalyst 3560-X Specifications

General

Enclosure Type	Rack-mountable - 1U
Subtype	Gigabit Ethernet
Ports	48 x 10/100/1000 + 4 x SFP
Flash Memory	64 MB
Power Device	Internal power supply
Voltage Required	AC 120/230 V (50/60 Hz)
Operating System	Cisco IOS
Device Type	Switch
Performance	Switching capacity: 128 Gbps
Jumbo Frame Support	Yes
Routing Protocol	RIP-1, RIP-2, EIGRP
Remote Management Protocol	SNMP 1, RMON 1, RMON 2, RMON 3, RMON 9, Telnet, SNMP 3, HTTP, HTTPS
Features	DHCP support, VLAN support, QoS, IPv6 support, Syslog
Compliant Standards	IEEE 802.3, IEEE 802.3u, IEEE 802.3z, IEEE 802.1D, IEEE 802.1Q, IEEE 802.3ab, IEEE 802.1p, IEEE 802.3af, IEEE 802.3x, IEEE 802.3ad, IEEE 802.1w, IEEE 802.1x, IEEE 802.1s, IEEE 802.3ah, IEEE 802.1ag, IEEE 802.3at
Stacking	Stackable
Security Features	SSH, RADIUS, TACACS+
Management	CLI
Dimensions (H x W x D)	17.5 in
Operating Temperature	32 to 113 °F (0 to 45 °C)
Humidity	10 - 95% (non-condensing)