Configuring Arp Acls For Non-Dhcp Environments - Cisco Catalyst 4500 Series Software Configuration Manual

Chapter 58 Configuring Dynamic ARP Inspection

Configuring ARP ACLs for Non-DHCP Environments

This procedure shows how to configure DAI when Switch B shown in Figure 58-3 does not support DAI
or DHCP snooping.
If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and
Host 1 could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure
port 1 on Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and
apply it to VLAN 100. If the IP address of Host 2 is not static, such that it is impossible to apply the
ACL configuration on Switch A, you must separate Switch A from Switch B at Layer 3 and use a router
to route packets between them.
To configure an ARP ACL (on switch A in a non-DHCP environment), perform this task:
Command
Step 1
Switch# configure terminal
Step 2
Switch(config)# arp access-list acl-name
Step 3
Switch(config-arp-nac)# permit ip host sender-ip mac
host sender-mac
Step 4
Switch(config-arp-nac)# exit
[ ]
log
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Configuring Dynamic ARP Inspection
Purpose
Enters global configuration mode.
Defines an ARP ACL, and enter ARP access-list
configuration mode. By default, no ARP access lists
are defined.
At the end of the ARP access list, there is an
Note
implicit deny ip any mac any command.
Permits ARP packets from the specified host (Host
2).
For sender-ip, enter the IP address of Host 2.
•
For sender-mac, enter the MAC address of
•
Host 2.
(Optional) Specify log to log a packet in the log
•
buffer when it matches the access control entry
(ACE). Matches are logged if you also configure
the matchlog keyword in the ip arp inspection
vlan logging global configuration command. For
more information, see the
Buffer" section on page
Returns to global configuration mode.
"Configuring the Log
58-14.
58-11