23-10
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
OL-12247-04
Chapter 23 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
To remove the ARP ACL, use the
no arp access-list
global configuration command. To remove the ARP
ACL attached to a VLAN, use the
no ip arp inspection filter
arp-acl-name
vlan
vlan-range
global
configuration command.
This example shows how to configure an ARP ACL called
host2
on Switch A, to permit ARP packets
from Host 2 (IP address 1.1.1.1 and MAC address 0001.0001.0001), to apply the ACL to VLAN 1, and
to configure port 1 on Switch A as untrusted:
Switch(config)#
arp access-list host2
Switch(config-arp-acl)#
permit ip host 1.1.1.1 mac host 1.1.1
Switch(config-arp-acl)#
exit
Switch(config)#
ip arp inspection filter host2 vlan 1
Switch(config)#
interface gigabitethernet1/0/1
Switch(config-if)#
no ip arp inspection trust
Limiting the Rate of Incoming ARP Packets
The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of
incoming ARP packets is rate-limited to prevent a denial-of-service attack.
When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the
error-disabled state. The port remains in that state until you enable error-disabled recovery so that ports
automatically emerge from this state after a specified timeout period.
Note
Unless you configure a rate limit on an interface, changing the trust state of the interface also changes
its rate limit to the default value for that trust state. After you configure the rate limit, the interface
retains the rate limit even when its trust state is changed. If you enter the
no ip arp inspection limit
interface configuration command, the interface reverts to its default rate limit.
Step 7
no ip arp inspection trust
Configure the Switch A interface that is connected to
Switch B as untrusted.
By default, all interfaces are untrusted.
For untrusted interfaces, the switch intercepts all
ARP requests and responses. It verifies that the
intercepted packets have valid IP-to-MAC address
bindings before updating the local cache and before
forwarding the packet to the appropriate destination.
The switch drops invalid packets and logs them in the
log buffer according to the logging configuration
specified with the
ip arp inspection vlan logging
global configuration command. For more
information, see the
Step 8
end
Return to privileged EXEC mode.
Step 9
show arp access-list
[
acl-name
]
show ip arp inspection vlan
vlan-range
show ip arp inspection interfaces
Verify your entries.
Step 10
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Command
Purpose