58-6
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 58 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
Figure 58-3 ARP Packet Validation on a VLAN Enabled for DAI
Note DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address
bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit
ARP packets that have dynamically assigned IP addresses. For configuration information, see
Chapter 60, “Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts.”
For information on how to configure DAI when only one switch supports the feature, see the
“Configuring ARP ACLs for Non-DHCP Environments” section on page 58-11.
To configure DAI, perform this task on both switches:
DHCP server
Switch A Switch B
Host 1
Host 2
Port 1 Port 3
111751
Command Purpose
Step 1
Switch# show cdp neighbors
Verifies the connection between the switches.
Step 2
Switch# configure terminal
Enters global configuration mode.
Step 3
Switch(config)# [no] ip arp inspection vlan
vlan-range
Enables DAI on a per-VLAN basis. By default, DAI is disabled
on all VLANs.
To disable DAI, use the no ip arp inspection vlan vlan-range
global configuration command.
For vlan-range, specify a single VLAN identified by VLAN ID
number, a range of VLANs separated by a hyphen, or a series of
VLANs separated by a comma. The range is 1 to 4094.
Specify the same VLAN ID for both switches.
Step 4
Switch(config)# interface interface-id
Specifies the interface connected to the other switch, and enter
interface configuration mode.
To Next Page
Loading...
Need help?
General
