411
Configuring Dynamic ARP Inspection
How to Configure Dynamic ARP Inspection
Command Purpose
1. configure terminal Enters global configuration mode.
2. arp access-list acl-name Defines an ARP ACL, and enters ARP access-list configuration
mode. By default, no ARP access lists are defined.
Note: At the end of the ARP access list, there is an implicit deny
ip any mac any command.
3. permit ip host sender-ip mac host sender-mac
[log]
Permits ARP packets from the specified host (Host 2).
sender-ip—Enters the IP address of Host 2.
sender-mac—Enters the MAC address of Host 2.
(Optional) log—Logs a packet in the log buffer when it
matches the access control entry (ACE). Matches are
logged if you also configure the matchlog keyword in the
ip arp inspection vlan logging global configuration
command. For more information, see Configuring the Log
Buffer, page 414.
4. exit Returns to global configuration mode.
5. ip arp inspection filter arp-acl-name vlan
vlan-range [static]
Applies the ARP ACL to the VLAN. By default, no defined ARP
ACLs are applied to any VLAN.
arp-acl-name—Specifies the name of the ACL created in
Step 2.
vlan-range—Specifies the VLAN that the switches and
hosts are in. You can specify a single VLAN identified by
VLAN ID number, a range of VLANs separated by a hyphen,
or a series of VLANs separated by a comma. The range is
1 to 4096.
(Optional) static—Specifies to treat implicit denies in the
ARP ACL as explicit denies and to drop packets that do not
match any previous clauses in the ACL. DHCP bindings are
not used.
If you do not specify this keyword, it means that there is no
explicit deny in the ACL that denies the packet, and DHCP
bindings determine whether a packet is permitted or
denied if the packet does not match any clauses in the ACL.
ARP packets containing only IP-to-MAC address bindings are
compared against the ACL. Packets are permitted only if the
access list permits them.
To Next Page
Loading...
Need help?
General
