Cisco WS-C6506 - Page 438

1488 pages

Save Page as PDF

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

15-42

Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7

OL-8978-04

Chapter 15 Configuring Access Control

Using VACLs in Your Network

Note To make sure DAI ports function properly, a permit arp-inspection any any ACE should be present in

the PACL (ACL mapped to a DAI-enabled port).

Note For DAI to function with hosts that have static IP, make sure to add static DHCP-snooping binding

entries on the port instead of a static ARP-inspection rule in the PACL (ACL mapped to a DAI-enabled

port).

This example shows how to enable dynamic ARP on port 1/48:

Console> (enable) set port security-acl 1/48 port-based

Warning: Vlan-based ACL features will be disabled on ports 1/48

ACL interface is set to port-based mode for port(s) 1/48.

Console> (enable) set security acl arp-inspection dynamic enable port 1/48

Dynamic ARP Inspection enabled on port 1/48.

Console> (enable) show security acl arp-inspection config

Match-mac feature is disabled.

Address-validation feature is disabled.

Dynamic ARP Inspection is disabled on vlan(s) 1-20,50.

Dynamic ARP Inspection is enabled on ports 1/48.

Dynamic ARP Inspection is disabled on ports 1/1-47,4/1-48,5/1-2.

Logging for Dynamic ARP Inspection rules is disabled.

Console> (enable) set security acl ip dai permit dhcp-snooping

Successfully configured DHCP Snooping for ACL dai. Use 'commit' command to save

changes.

Console> (enable) set security acl ip dai permit arp-inspection any any

dai editbuffer modified. Use 'commit' command to apply changes.

Console> (enable) set security acl ip dai permit ip any any

dai editbuffer modified. Use 'commit' command to apply changes.

Console> (enable) commit security acl dai

Console> (enable) ACL commit in progress.

ACL 'dai' successfully committed.

Console> (enable) set security acl map dai 1/48

Mapping in progress.

To configure DAI, perform this task in privileged mode:

This example shows how to enable DAI on VLAN 100:

Console> (enable) set security acl arp-inspection dynamic enable 100

Task Command

Step 1

Enable DAI on a VLAN. set security acl arp-inspection dynamic {enable

| disable} [vlanlist | port mod/port]

Step 2

Enable or disable the inspection of the ARP

packets.

set port arp-inspection portlist trust {enable |

disable}

Step 3

Enable logging of the packets denied by DAI.

Note Logging of static ARP rule

denials is still controlled

by the rule (ACE) CPG.

set security acl arp-inspection dynamic log

{enable | disable}

Step 4

Verify the DAI and DAI logging configuration. show security acl arp-inspection config

Table of Contents

Related product manuals

Preview: Cisco WS-C6509

Preview: Cisco WS-C2950-24

Cisco WS-C2950-24

Preview: Cisco WS-C2950-12

Cisco WS-C2950-12

Cisco WS-C2940-8TT-S

Preview: Cisco WS-C3750-48PS-S

Cisco WS-C3750-48PS-S

Cisco WS-C2948G-GE-TX

Preview: Cisco WS-C3560-48PS-S

Cisco WS-C3560-48PS-S

Preview: Cisco WS-C2960L-8TS-LL

Cisco WS-C2960L-8TS-LL

Preview: Cisco WS-C3560E-24PD-E

Cisco WS-C3560E-24PD-E

Cisco WS-C3750G-48PS-S

Preview: Cisco WS-C2960L-24TS-LL

Cisco WS-C2960L-24TS-LL

Preview: Cisco Catalyst WS-C3850-24T-L

Cisco Catalyst WS-C3850-24T-L