Sample Two: One Switch Supports Dai - Cisco 7604 Configuration Manual

Ios software configuration guide

Hide thumbs Also See for 7604:

Configuration manual (742 pages)

Installation manual (324 pages)

User manual (98 pages)

page of 1011

/ 1011
Contents
Table of Contents
Bookmarks

Table of Contents

Configuring Dynamic ARP Inspection

Sample Two: One Switch Supports DAI

This procedure shows how to configure DAI when Router B shown in

support DAI or DHCP snooping.

If switch Router B does not support DAI or DHCP snooping, configuring Fast Ethernet port 6/3 on

Router A as trusted creates a security hole because both Router A and Host 1 could be attacked by either

Router B or Host 2.

To prevent this possibility, you must configure Fast Ethernet port 6/3 on Router A as untrusted. To permit

ARP packets from Host 2, you must set up an ARP ACL and apply it to VLAN 1. If the IP address of

Host 2 is not static, which would make it impossible to apply the ACL configuration on Router A, you

must separate Router A from Router B at Layer 3 and use a router to route packets between them.

To set up an ARP ACL on switch Router A, follow these steps:

Configure the access list to permit the IP address 1.1.1.1 and the MAC address 0001.0001.0001, and

verify the configuration:

RouterA# configure terminal

Enter configuration commands, one per line.

RouterA(config)# arp access-list H2

RouterA(config-arp-nacl)# permit ip host 1.1.1.1 mac host 1.1.1

RouterA(config-arp-nacl)# end

RouterA# show arp access-list

ARP access list H2

Apply the ACL to VLAN 1, and verify the configuration:

RouterA# configure terminal

Enter configuration commands, one per line.

RouterA(config)# ip arp inspection filter H2 vlan 1

RouterA(config)# end

RouterA# show ip arp inspection vlan 1

Source Mac Validation

Destination Mac Validation : Disabled

IP Address Validation

Configure Fast Ethernet port 6/3 as untrusted, and verify the configuration:

RouterA# configure terminal

Enter configuration commands, one per line.

RouterA(config)# interface fastethernet 6/3

RouterA(config-if)# no ip arp inspection trust

RouterA(config-if)# end

Switch# show ip arp inspection interfaces fastethernet 6/3

---------------

permit ip host 1.1.1.1 mac host 0001.0001.0001

Configuration

-------------

Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX

End with CNTL/Z.

DHCP Logging

------------

End with CNTL/Z.

DAI Configuration Samples

Figure 38-2 on page 38-4

Show Quick Links

Quick Links:
Supported Hardware and Software

Chapters

Table of Contents

7613 7606 7609-s 7600 series

Sample Two: One Switch Supports Dai - Cisco 7604 Configuration Manual

Sample Two: One Switch Supports DAI

Hide quick links:

Chapters

Related Manuals for Cisco 7604

Related Content for Cisco 7604

This manual is also suitable for:

Table of Contents