23-10
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
OL-9775-08
Chapter 23 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP
ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global
configuration command.
Step 5
ip arp inspection filter arp-acl-name vlan
vlan-range [static]
Apply the ARP ACL to the VLAN. By default, no defined ARP
ACLs are applied to any VLAN.
• For arp-acl-name, specify the name of the ACL created in
Step 2.
• For vlan-range, specify the VLAN that the switches and hosts
are in. You can specify a single VLAN identified by VLAN ID
number, a range of VLANs separated by a hyphen, or a series
of VLANs separated by a comma. The range is 1 to 4094.
• (Optional) Specify static to treat implicit denies in the ARP
ACL as explicit denies and to drop packets that do not match
any previous clauses in the ACL. DHCP bindings are not used.
If you do not specify this keyword, it means that there is no
e
xplicit deny in the ACL that denies the packet, and DHCP
bindings determine whether a packet is permitted or denied if
the packet does not match any clauses in the ACL.
ARP packets containing only IP-to-MAC address bindings are
c
ompared against the ACL. Packets are permitted only if the
access list permits them.
Step 6
interface interface-id Specify the Switch A interface that is connected to Switch B, and
enter interface configuration mode.
Step 7
no ip arp inspection trust Configure the Switch A interface that is connected to Switch B as
untrusted.
By default, all interfaces are untrusted.
For untrusted interfaces, the switch intercepts all ARP requests
a
nd responses. It verifies that the intercepted packets have valid
IP-to-MAC address bindings before updating the local cache and
before forwarding the packet to the appropriate destination. The
switch drops invalid packets and logs them in the log buffer
according to the logging configuration specified with the ip arp
inspection vlan logging global configuration command. For more
information, see the “Configuring the Log Buffer” section on
page 23-13.
Step 8
end Return to privileged EXEC mode.
Step 9
show arp access-list [acl-name]
show ip arp inspection vlan v
lan-range
show ip arp inspection interfaces
Verify your entries.
Step 10
copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose
To Next Page
Loading...
