58-11
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 58 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
Configuring ARP ACLs for Non-DHCP Environments
This procedure shows how to configure DAI when Switch B shown in Figure 58-3 does not support DAI
or DHCP snooping.
If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and
Host 1 could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure
port 1 on Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and
apply it to VLAN 100. If the IP address of Host 2 is not static, such that it is impossible to apply the
ACL configuration on Switch A, you must separate Switch A from Switch B at Layer 3 and use a router
to route packets between them.
To configure an ARP ACL (on switch A in a non-DHCP environment), perform this task:
Command Purpose
Step 1
Switch# configure terminal
Enters global configuration mode.
Step 2
Switch(config)# arp access-list acl-name
Defines an ARP ACL, and enter ARP access-list
configuration mode. By default, no ARP access lists
are defined.
Note At the end of the ARP access list, there is an
implicit deny ip any mac any command.
Step 3
Switch(config-arp-nac)# permit ip host sender-ip mac
host sender-mac
[log]
Permits ARP packets from the specified host (Host
2).
• For sender-ip, enter the IP address of Host 2.
• For sender-mac, enter the MAC address of
Host 2.
• (Optional) Specify log to log a packet in the log
buffer when it matches the access control entry
(ACE). Matches are logged if you also configure
the matchlog keyword in the ip arp inspection
vlan logging global configuration command. For
more information, see the “Configuring the Log
Buffer” section on page 58-14.
Step 4
Switch(config-arp-nac)# exit
Returns to global configuration mode.
To Next Page
Loading...
