20-10
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 20 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
To remove the ARP ACL, use the
no arp access-list
global configuration command. To remove the ARP
ACL attached to a VLAN, use the
no ip arp inspection filter
arp-acl-name
vlan
vlan-range
global
configuration command.
This example shows how to configure an ARP ACL called
host2
on Switch A, to permit ARP packets
from Host 2 (IP address 1.1.1.1 and MAC address 0001.0001.0001), to apply the ACL to VLAN 1, and
to configure port 1 on Switch A as untrusted:
Switch(config)#
arp access-list host2
Switch(config-arp-acl)#
permit ip host 1.1.1.1 mac host 1.1.1
Switch(config-arp-acl)#
exit
Switch(config)#
ip arp inspection filter host2 vlan 1
Switch(config)#
interface gigabitethernet1/1
Switch(config-if)#
no ip arp inspection trust
Limiting the Rate of Incoming ARP Packets
The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of
incoming ARP packets is rate-limited to prevent a denial-of-service attack.
When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the
error-disabled state. The port remains in that state until you enable error-disabled recovery so that ports
automatically emerge from this state after a specified timeout period.
Note
Unless you configure a rate limit on an interface, changing the trust state of the interface also changes
its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains
the rate limit even when its trust state is changed. If you enter the
no ip arp inspection limit
interface
configuration command, the interface reverts to its default rate limit.
Step 7
no ip arp inspection trust
Configure the Switch A interface that is connected to Switch B
as untrusted.
By default, all interfaces are untrusted.
For untrusted interfaces, the switch intercepts all ARP requests
and responses. It verifies that the intercepted packets have valid
IP-to-MAC address bindings before updating the local cache
and before forwarding the packet to the appropriate destination.
The switch drops invalid packets and logs them in the log buffer
according to the logging configuration specified with the
ip arp
inspection vlan logging
global configuration command. For
more information, see the
“Configuring the Log Buffer” section
.
Step 8
end
Return to privileged EXEC mode.
Step 9
show arp access-list
[
acl-name
]
show ip arp inspection vlan
vlan-range
show ip arp inspection interfaces
Verify your entries.
Step 10
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Command
Purpose