410
Configuring Dynamic ARP Inspection
How to Configure Dynamic ARP Inspection
Configuring ARP ACLs for Non-DHCP Environments
This procedure shows how to configure DAI when Switch B shown in Figure 64 on page 407 does not support DAI or
DHCP snooping.
If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and Host 1 could be
attacked by either Switch B or Host 2. To prevent this possibility, you must configure port 1 on Switch A as untrusted. To
permit ARP packets from Host 2, you must set up an ARP ACL and apply it to VLAN 1. If the IP address of Host 2 is not
static (it is impossible to apply the ACL configuration on Switch A) you must separate Switch A from Switch B at Layer 3
and use a router to route packets between them.
Command Purpose
1. show cdp neighbors Verifies the connection between the switches.
2. configure terminal Enters global configuration mode.
3. ip arp inspection vlan vlan-range Enables DAI on a per-VLAN basis. By default, DAI is disabled on
all VLANs.
vlan-range—Specifies a single VLAN identified by VLAN ID
number, a range of VLANs separated by a hyphen, or a series of
VLANs separated by a comma. The range is 1 to 4096.
Specifies the same VLAN ID for both switches.
4. interface interface-id Specifies the interface connected to the other switch, and
enters interface configuration mode.
5. ip arp inspection trust Configures the connection between the switches as trusted.
By default, all interfaces are untrusted.
The switch does not check ARP packets that it receives from the
other switch on the trusted interface; it only forwards the
packets.
For untrusted interfaces, the switch intercepts all ARP requests
and responses. It verifies that the intercepted packets have valid
IP-to-MAC address bindings before updating the local cache
and before forwarding the packet to the appropriate destination.
The switch drops invalid packets and logs them in the log buffer
according to the logging configuration specified with the ip arp
inspection vlan logging global configuration command.
6. end Returns to privileged EXEC mode.
To Next Page
Loading...
Need help?
General
