Dynamic Arp Inspection Configuration Guidelines - Cisco Catalyst 2960 Software Configuration Manual
Hide thumbs
Also See for Catalyst 2960:
- Configuration manual (2288 pages) ,
- Command reference manual (800 pages) ,
- Hardware installation manual (108 pages)
Table of Contents
Advertisement
Configuring Dynamic ARP Inspection
Table 22-1
Feature
Log buffer
Per-VLAN logging
Dynamic ARP Inspection Configuration Guidelines
These are the dynamic ARP inspection configuration guidelines:
•
•
•
•
Note
•
•
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
22-6
Default Dynamic ARP Inspection Configuration (continued)
Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking.
Dynamic ARP inspection is not effective for hosts connected to switches that do not support
dynamic ARP inspection or that do not have this feature enabled. Because man-in-the-middle
attacks are limited to a single Layer 2 broadcast domain, separate the domain with dynamic ARP
inspection checks from the one with no checking. This action secures the ARP caches of hosts in the
domain enabled for dynamic ARP inspection.
Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify
IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable
DHCP snooping to permit ARP packets that have dynamically assigned IP addresses. For
configuration information, see
When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to
deny packets.
Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private
VLAN ports.
Do not enable Dynamic ARP inspection on RSPAN VLANs. If Dynamic ARP inspection is
enabled on RSPAN VLANs, Dynamic ARP inspection packets might not reach the RSPAN
destination port.
A physical port can join an EtherChannel port channel only when the trust state of the physical port
and the channel port match. Otherwise, the physical port remains suspended in the port channel. A
port channel inherits its trust state from the first physical port that joins the channel. Consequently,
the trust state of the first physical port need not match the trust state of the channel.
Conversely, when you change the trust state on the port channel, the switch configures a new trust
state on all the physical ports that comprise the channel.
The rate limit is calculated separately on each switch in a switch stack. For a cross-stack
EtherChannel, this means that the actual rate limit might be higher than the configured value. For
example, if you set the rate limit to 30 pps on an EtherChannel that has one port on switch 1 and one
port on switch 2, each port can receive packets at 29 pps without causing the EtherChannel to
become error-disabled.
Default Setting
When dynamic ARP inspection is enabled, all denied or
dropped ARP packets are logged.
The number of entries in the log is 32.
The number of system messages is limited to 5 per
second.
The logging-rate interval is 1 second.
All denied or dropped ARP packets are logged.
Chapter 20, "Configuring DHCP and IP Source Guard Features."
Chapter 22
Configuring Dynamic ARP Inspection
OL-26520-01
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
