Table of Contents
Advertisement
◆
E
XAMPLE
Console(config)#ip arp inspection
Console(config)#
This command specifies an ARP ACL to apply to one or more VLANs. Use
ip arp inspection
the no form to remove an ACL binding.
filter
S
YNTAX
D
EFAULT
ARP ACLs are not bound to any VLAN
Static mode is not enabled
C
OMMAND
Global Configuration
C
OMMAND
◆
◆
◆
When ARP Inspection is disabled globally, it is still possible to configure
ARP Inspection for individual VLANs. These configuration changes will
only become active after ARP Inspection is globally enabled again.
ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range}
[static]
arp-acl-name - Name of an ARP ACL.
(Maximum length: 16 characters)
vlan-id - VLAN ID. (Range: 1-4094)
vlan-range - A consecutive range of VLANs indicated by the use a
hyphen, or a random group of VLANs with each entry separated by
a comma.
static - ARP packets are only validated against the specified ACL,
address bindings in the DHCP snooping database is not checked.
S
ETTING
M
ODE
U
SAGE
ARP ACLs are configured with the commands described on
If static mode is enabled, the switch compares ARP packets to the
specified ARP ACLs. Packets matching an IP-to-MAC address binding in
a permit or deny rule are processed accordingly. Packets not matching
any of the ACL rules are dropped. Address bindings in the DHCP
snooping database are not checked.
If static mode is not enabled, packets are first validated against the
specified ARP ACL. Packets matching a deny rule are dropped. All
remaining packets are validated against the address bindings in the
DHCP snooping database.
– 1147 –
| General Security Measures
C
29
HAPTER
ARP Inspection
page
406.
Advertisement
Chapters
Table of Contents
