Table of Contents
Advertisement
Using VACLs in Your Network
Figure 15-8
ARP packet
redirected to
Received
on ARP-
inspection
trusted port?
No
Match-MAC
enabled?
No
Address
validation
enabled?
No
No
inspection ACE
on VLANs
ACL?
Yes
Check ARP-
inspection
ACE rules
Match
found?
No
Note
Only the ARP packets that are sent from an untrusted port are inspected. The ARP packets that are
received from a trusted port are forwarded without inspection (this process applies to both static and
dynamic ARP inspection). By default, the system configures the MSFC port as ARP inspection trusted.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
15-40
Dynamic ARP Inspection Flow Chart
NMP
Yes
Packet
forwarded
Yes
Yes
Drop
enabled?
No
Yes
Yes
Drop
enabled?
No
ARP
Yes
ACE action
deny?
Packet
forwarded
Source and
payload MAC
match?
Yes
Valid
Address?
Yes
Yes
Chapter 15
Configuring Access Control
DAI
No
enabled on
VLAN?
Yes
Search DHCP
bind entries
wtih payload MAC
address and
VLAN
Entry found
No
+ lease not
expired?
Yes
Payload and
No
bind entry IP
addresses
match?
Yes
Packet
Packet
forwarded
dropped
OL-8978-04
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
