Cisco Systems 3560X Manuel D’Utilisation
25-10
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 25 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP
ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global
configuration command.
ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global
configuration command.
This example shows how to configure an ARP ACL called host2 on Switch A, to permit ARP packets
from Host 2 (IP address 1.1.1.1 and MAC address 0001.0001.0001), to apply the ACL to VLAN 1, and
to configure port 1 on Switch A as untrusted:
from Host 2 (IP address 1.1.1.1 and MAC address 0001.0001.0001), to apply the ACL to VLAN 1, and
to configure port 1 on Switch A as untrusted:
Switch(config)# arp access-list host2
Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host 1.1.1
Switch(config-arp-acl)# exit
Switch(config)# ip arp inspection filter host2 vlan 1
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# no ip arp inspection trust
Limiting the Rate of Incoming ARP Packets
The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of
incoming ARP packets is rate-limited to prevent a denial-of-service attack.
incoming ARP packets is rate-limited to prevent a denial-of-service attack.
When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the
error-disabled state. The port remains in that state until you enable error-disabled recovery so that ports
automatically emerge from this state after a specified timeout period.
error-disabled state. The port remains in that state until you enable error-disabled recovery so that ports
automatically emerge from this state after a specified timeout period.
Note
Unless you configure a rate limit on an interface, changing the trust state of the interface also changes
its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains
the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface
configuration command, the interface reverts to its default rate limit.
its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains
the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface
configuration command, the interface reverts to its default rate limit.
Step 7
no ip arp inspection trust
Configure the Switch A interface that is connected to Switch B as
untrusted.
untrusted.
By default, all interfaces are untrusted.
For untrusted interfaces, the switch intercepts all ARP requests
and responses. It verifies that the intercepted packets have valid
IP-to-MAC address bindings before updating the local cache and
before forwarding the packet to the appropriate destination. The
switch drops invalid packets and logs them in the log buffer
according to the logging configuration specified with the ip arp
inspection vlan logging
and responses. It verifies that the intercepted packets have valid
IP-to-MAC address bindings before updating the local cache and
before forwarding the packet to the appropriate destination. The
switch drops invalid packets and logs them in the log buffer
according to the logging configuration specified with the ip arp
inspection vlan logging
global configuration command. For more
information, see the
Step 8
end
Return to privileged EXEC mode.
Step 9
show arp access-list
[acl-name]
show ip arp inspection vlan
vlan-range
show ip arp inspection interfaces
Verify your entries.
Step 10
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Command
Purpose