Cisco Systems 3130 User Manual
22-6
Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide
OL-13270-01
Chapter 22 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
Dynamic ARP Inspection Configuration Guidelines
These are the dynamic ARP inspection configuration guidelines:
•
Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking.
•
Dynamic ARP inspection is not effective for hosts connected to switches that do not support
dynamic ARP inspection or that do not have this feature enabled. Because man-in-the-middle
attacks are limited to a single Layer 2 broadcast domain, separate the domain with dynamic ARP
inspection checks from the one with no checking. This action secures the ARP caches of hosts in the
domain enabled for dynamic ARP inspection.
dynamic ARP inspection or that do not have this feature enabled. Because man-in-the-middle
attacks are limited to a single Layer 2 broadcast domain, separate the domain with dynamic ARP
inspection checks from the one with no checking. This action secures the ARP caches of hosts in the
domain enabled for dynamic ARP inspection.
•
Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify
IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable
DHCP snooping to permit ARP packets that have dynamically assigned IP addresses. For
configuration information, see
IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable
DHCP snooping to permit ARP packets that have dynamically assigned IP addresses. For
configuration information, see
When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to
deny packets.
deny packets.
•
Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private
VLAN ports.
VLAN ports.
•
A physical port can join an EtherChannel port channel only when the trust state of the physical port
and the channel port match. Otherwise, the physical port remains suspended in the port channel. A
port channel inherits its trust state from the first physical port that joins the channel. Consequently,
the trust state of the first physical port need not match the trust state of the channel.
and the channel port match. Otherwise, the physical port remains suspended in the port channel. A
port channel inherits its trust state from the first physical port that joins the channel. Consequently,
the trust state of the first physical port need not match the trust state of the channel.
Conversely, when you change the trust state on the port channel, the switch configures a new trust
state on all the physical ports that comprise the channel.
state on all the physical ports that comprise the channel.
•
The rate limit is calculated separately on each switch in a switch stack. For a cross-stack
EtherChannel, this means that the actual rate limit might be higher than the configured value. For
example, if you set the rate limit to 30 pps on an EtherChannel that has one port on switch 1 and one
port on switch 2, each port can receive packets at 29 pps without causing the EtherChannel to
become error-disabled.
EtherChannel, this means that the actual rate limit might be higher than the configured value. For
example, if you set the rate limit to 30 pps on an EtherChannel that has one port on switch 1 and one
port on switch 2, each port can receive packets at 29 pps without causing the EtherChannel to
become error-disabled.
Log buffer
When dynamic ARP inspection is enabled, all denied or
dropped ARP packets are logged.
dropped ARP packets are logged.
The number of entries in the log is 32.
The number of system messages is limited to 5 per
second.
second.
The logging-rate interval is 1 second.
Per-VLAN logging
All denied or dropped ARP packets are logged.
Table 22-1
Default Dynamic ARP Inspection Configuration (continued)
Feature
Default Setting