15-39
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 15 Configuring Access Control
Using VACLs in Your Network
Configuring Logging for ARP Traffic Inspection
To configure the logging option to log the ARP traffic-inspection packets that are dropped, perform this
task in privileged mode:
For detailed information on the VACL logging option, see the “Configuring VACL Logging” section on
page 15-59. This section also provides information on limiting the number of logged flows using the set
security acl log maxflow max_number command.
To display the logged ARP traffic-inspection packets, perform this task in normal mode:
If you specify the optional host IP address, only the ARP packets that advertise a binding for the
specified host IP address are displayed. If you specify the optional vlan vlan keyword and argument, the
search is restricted to the specified VLAN.
Dynamic ARP Inspection
Note Dynamic ARP inspection (DAI) is available only with Supervisor Engine 2 with PFC2, Supervisor
Engine 720 with PFC3A/PFC3B/PFC3BXL, and Supervisor Engine 32 with PFC3B/PFC3BXL.
These sections describe DAI:
• Overview, page 15-39
• Dynamic ARP Inspection Configuration Procedures, page 15-41
Overview
DAI uses the binding information that is built by DHCP snooping to enforce the advertisement of
bindings to prevent “man-in-the-middle” attacks. These attacks can occur when an attacker intercepts
and selectively modifies communicated data to masquerade as one or more of the entries in a
communication association. DAI adds an extra layer of security to ARP inspection by verifying that the
ARP packet’s MAC address and IP address match an existing DHCP snooping binding in the same
VLAN. The basic functionality and packet flow of ARP inspection remains unchanged except for the
addition of checks to ensure that a DHCP binding exists (see Figure 15-8 for a logical flow chart).
Task Command
Log the ARP traffic-inspection packets that are
dropped.
set security acl ip acl_name deny
arp-inspection {host ip_address {any |
mac_address} | ip_address ip_mask any | any
any} [log]
Task Command
Display the logged ARP traffic-inspection packets. show security acl log flow arp [host
ip_address [vlan vlan]]
To Next Page
Loading...
Need help?
General