You must configure trusted ports carefully. For example, in the topology in Figure 1, Switch B may
not see the leased IP address that Host 1 receives from the DHCP server. If the port on Switch B that
is connected to Switch A is untrusted and if Switch B has dynamic ARP protection enabled, it will
see ARP packets from Host 1 as invalid, resulting in a loss of connectivity.
On the other hand, if Switch A does not support dynamic ARP protection and you configure the port
on Switch B connected to Switch A as trusted, Switch B opens itself to possible ARP poisoning from
hosts attached to Switch A.
Figure 1. Configuring Trusted Ports for Dynamic ARP Protection
Take into account the following configuration guidelines when you use dynamic ARP protection in
You should configure ports connected to other switches in the network as trusted ports. In this
way, all network switches can exchange ARP packets and update their ARP caches with valid
Switches that do not support dynamic ARP protection should be separated by a router in their
own Layer 2 domain. Because ARP packets do not cross Layer 2 domains, the unprotected
switches cannot unknowingly accept ARP packets from an attacker and forward them to
protected switches through trusted ports.
To configure one or more Ethernet interfaces that handle VLAN traffic as trusted ports, enter the arp
protect trust command at the global configuration level. The switch does not check ARP requests and
responses received on a trusted port.
Syntax: [no] arp protect trust <port-list>
An example of the arp protect trust command is shown here:
Specifies a port number or a range of port
numbers. Separate individual port numbers or
ranges of port numbers with a comma; for
example: c1-c3, c6.
Release R.11.12 Enhancements