Table of Contents
Advertisement
Configuring Dynamic ARP Inspection
How to Configure Dynamic ARP Inspection
Command
1.
show cdp neighbors
2.
configure terminal
3.
ip arp inspection vlan vlan-range
4.
interface interface-id
5.
ip arp inspection trust
6.
end
Configuring ARP ACLs for Non-DHCP Environments
This procedure shows how to configure DAI when Switch B shown in
DHCP snooping.
If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and Host 1 could be
attacked by either Switch B or Host 2. To prevent this possibility, you must configure port 1 on Switch A as untrusted. To
permit ARP packets from Host 2, you must set up an ARP ACL and apply it to VLAN 1. If the IP address of Host 2 is not
static (it is impossible to apply the ACL configuration on Switch A) you must separate Switch A from Switch B at Layer 3
and use a router to route packets between them.
Purpose
Verifies the connection between the switches.
Enters global configuration mode.
Enables DAI on a per-VLAN basis. By default, DAI is disabled on
all VLANs.
vlan-range—Specifies a single VLAN identified by VLAN ID
number, a range of VLANs separated by a hyphen, or a series of
VLANs separated by a comma. The range is 1 to 4096.
Specifies the same VLAN ID for both switches.
Specifies the interface connected to the other switch, and
enters interface configuration mode.
Configures the connection between the switches as trusted.
By default, all interfaces are untrusted.
The switch does not check ARP packets that it receives from the
other switch on the trusted interface; it only forwards the
packets.
For untrusted interfaces, the switch intercepts all ARP requests
and responses. It verifies that the intercepted packets have valid
IP-to-MAC address bindings before updating the local cache
and before forwarding the packet to the appropriate destination.
The switch drops invalid packets and logs them in the log buffer
according to the logging configuration specified with the ip arp
inspection vlan logging global configuration command.
Returns to privileged EXEC mode.
Figure 64 on page 407
410
does not support DAI or
- Quick Links:
- Configuration Overview
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
