Leaflet
48
OL-11615-01
In this example, dynamic ARP inspection is configured on VLAN 100, while port 2/2 is set as trust:
Console> (enable) set security acl arp-inspection dynamic enable 100
Dynamic ARP Inspection is enabled for vlan(s) 100.
Console> (enable) set port arp-inspection 2/2 trust enable
Port(s) 2/2 state set to trusted for ARP Inspection.
To configure ARP Inspection for non-DHCP systems, perform the following steps:
Step 1 Configure the ARP traffic-inspection ACL with the valid static MAC-IP binding entries. By default, no
ARP traffic-inspection access lists are defined. Define the ARP traffic-inspection ACL using the set
security acl ip acl_name arp-inspection host command:
Console> (enable) set security acl ip acl_name {permit | deny} arp-inspection host
ip_address mac_address
Step 2 Commit the previously defined ARP traffic-inspection ACL using the commit command:
Console> (enable) commit security acl {
acl_name
| all | adjacency}
Step 3 Apply the ARP traffic-inspection ACL to the VLAN using the set security acl map command:
Console> (enable) set security acl map
acl_name vlan-list
By default, no defined ARP traffic-inspection ACLs are applied to any VLAN.
Step 4 Configure the port trust state using the set port arp-inspection trust enable command:
Console> (enable) set port arp-inspection portlist trust {enable | disable}
Step 5 To make the interfaces untrusted, use the set port arp-inspection trust disable command. By default,
all interfaces are untrusted.
This example shows how to configure an ARP traffic-inspection ACL called TrustedHosts, to permit
ARP packets from a host with IP address 172.20.52.54 and MAC address 00-01-64-61-39-c2, to apply
the ACL to VLAN 100, and to configure port 2/2 on the switch as trusted:
Console> (enable) set security acl ip TrustedHosts permit arp-inspection host 172.20.52.54
00-01-64-61-39-c2
Operation successful.
Console> (enable) commit security acl TrustedHosts
Console> (enable) ACL commit in progress.
ACL ' TrustedHosts' successfully committed.
Console> (enable) set security acl map TrustedHosts 100
ACL TrustedHosts mapped to vlan 10
Console> (enable) set port arp-inspection 2/2 trust enable
Port(s) 2/2 state set to trusted for ARP Inspection.
To optionally configure DAI additional checks on source MAC addresses, use the set security acl
arp-inspection match-mac command:
Console> (enable) set security acl arp-inspection match-mac {enable drop [log]}
Console> (enable) commit security acl {
acl_name
| all | adjacency}
This example shows how to drop the packets where the source Ethernet MAC address is not the same as
the source MAC address in the ARP header:
Console> (enable) set security acl arp-inspection match-mac enable drop
ARP Inspection match-mac feature enabled with drop option.
Console> (enable) commit security acl TrustedHosts
Console> (enable) ACL commit in progress.
ACL ' TrustedHosts' successfully committed.