hit counter script

Configuring Arp Acls For Non-Dhcp Environments - Cisco WS-C3020 Software Configuration Manual

Catalyst blade switch for hp
Table of Contents

Advertisement

Configuring Dynamic ARP Inspection
Command
Step 7
show ip arp inspection interfaces
show ip arp inspection vlan vlan-range
Step 8
show ip dhcp snooping binding
Step 9
show ip arp inspection statistics vlan
vlan-range
Step 10
copy running-config startup-config
To disable dynamic ARP inspection, use the no ip arp inspection vlan vlan-range global configuration
command. To return the interfaces to an untrusted state, use the no ip arp inspection trust interface
configuration command.
This example shows how to configure dynamic ARP inspection on Switch A in VLAN 1. You would
perform a similar procedure on Switch B:
Switch(config)# ip arp inspection vlan 1
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip arp inspection trust

Configuring ARP ACLs for Non-DHCP Environments

This procedure shows how to configure dynamic ARP inspection when Switch B shown in
on page 21-3
If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and
Host 1 could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure
port 1 on Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and
apply it to VLAN 1. If the IP address of Host 2 is not static (it is impossible to apply the ACL
configuration on Switch A) you must separate Switch A from Switch B at Layer 3 and use a router to
route packets between them.
Beginning in privileged EXEC mode, follow these steps to configure an ARP ACL on Switch A. This
procedure is required in non-DHCP environments.
Command
Step 1
configure terminal
Step 2
arp access-list acl-name
Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide
21-8
Purpose
Verify the dynamic ARP inspection configuration.
Verify the DHCP bindings.
Check the dynamic ARP inspection statistics.
(Optional) Save your entries in the configuration file.
does not support dynamic ARP inspection or DHCP snooping.
Chapter 21
Configuring Dynamic ARP Inspection
Purpose
Enter global configuration mode.
Define an ARP ACL, and enter ARP access-list
configuration mode. By default, no ARP access lists
are defined.
At the end of the ARP access list, there is an
Note
implicit deny ip any mac any command.
Figure 21-2
OL-8915-03

Hide quick links:

Advertisement

Table of Contents
loading

This manual is also suitable for:

Catalyst 3020

Table of Contents