Cisco WS-C6506 Software Manual page 428

Using VACLs in Your Network
•
•
ARP Traffic-Inspection Configuration Procedures
These sections describe the ARP traffic-inspection configuration procedures:
Configuring ARP Traffic Inspection
•
•
•
•
•
•
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
15-32
This example shows you how to avoid a common configuration error. The following is a typical ARP
traffic-inspection ACL:
------------------------------
set security acl ip my_arp
---------------------------------------------------
arp permit
1. permit arp-inspection host 10.6.62.86 00-b0-c2-3b-db-fd
2. deny arp-inspection host 10.6.62.86 any
3. permit arp-inspection any any
---------------------------
This ACL ensures that only MAC address 00-b0-c2-3b-db-fd is advertised as the MAC address for
IP address 10.6.62.86. This ACL will deny all IP packets because there is an implicit ip deny any
any in an IP ACL.
If you want all IP traffic to pass through, there should be an explicit permit ip any any at the end of
the ACL as follows:
--------------------
set security acl ip my_arp
---------------------------------------------------
arp permit
1. permit arp-inspection host 10.6.62.86 00-b0-c2-3b-db-fd
2. deny arp-inspection host 10.6.62.86 any
3. permit arp-inspection any any
4. permit ip any any
----------------------
This example shows a typical configuration using ARP traffic inspection. The following ACL is
used to protect the two IP addresses that are specified and will not do ARP traffic inspection with
any MAC addresses other than those specified:
set security acl ip ACL_VLAN951 permit arp-inspection host 132.216.251.129
00-d0-b7-11-13-14
set security acl ip ACL_VLAN951 deny arp-inspection host 132.216.251.129 any log
set security acl ip ACL_VLAN951 permit arp-inspection host 132.216.251.250
00-d0-00-ea-43-fc
set security acl ip ACL_VLAN951 deny arp-inspection host 132.216.251.250 any log
set security acl ip ACL_VLAN951 permit arp-inspection any any
set security acl ip ACL_VLAN951 permit ip any any
Permitting or Denying ARP Packets Advertising a Specific IP-Address-to-MAC-Address Binding,
page 15-33
Permitting or Denying ARP Packets Advertising a Particular IP Address Binding, page 15-33
Permitting or Denying All ARP Packets, page 15-34
Permitting or Denying ARP Packets that Advertise Bindings for IP Addresses on a Particular
Network, page 15-34
Dropping Packets Without Matching MAC Addresses, page 15-35
Dropping Packets with Invalid MAC or IP Addresses, page 15-35
Chapter 15 Configuring Access Control
OL-8978-04