Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
41424344454647484950
50
OL-11615-01
For more information on Dynamic ARP Inspection on Catalyst 6500 Series switches running Catalyst
OS, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/confg_gd/acc_list.htm
Dynamic ARP Inspection (DAI) in Cisco IOS (Catalyst 6500 and Catalyst 4500)
As with Catalyst OS, in Cisco IOS, DAI can be configured to drop ARP packets containing MAC
addresses in their bodies that do not match the addresses specified in the Ethernet headers. The
difference is that in Cisco IOS the MAC address validation can be done based on source and destination
MAC addresses:
Source MAC addresses: DAI checks the source MAC address in the Ethernet header against the
sender MAC address in the ARP body. This check is performed on both ARP requests and responses.
When enabled, packets with different MAC addresses are classified as invalid and are dropped.
Destination MAC addresses: DAI checks the destination MAC address in the Ethernet header
against the target MAC address in ARP body. This check is performed for ARP responses. When
enabled, packets with different MAC addresses are classified as invalid and are dropped.
Similarly to Catalyst OS, in Cisco IOS, DAI can be configured to drop ARP packets with invalid and
unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
Sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked
only in ARP responses.
Another difference between Catalyst OS and Cisco IOS is that in the later ARP inspection rate limiting
is implemented per interface only, and not globally. The default threshold is also different, in Cisco IOS
the rate for untrusted interfaces is by default set to 15 pps.
To configure Dynamic ARP Inspection on switches running Cisco IOS, perform the following steps:
Step 1 Enable dynamic ARP inspection on a per-VLAN basis. By default, dynamic ARP inspection is disabled
on all VLANs. Use the ip arp inspection vlan command:
Switch(config)# ip arp inspection vlan
vlan-range
Step 2 Use the ip arp inspection trust command to configure the port trust state. By default, all interfaces are
untrusted. To set the interfaces to untrusted, use the no ip arp inspection trust command:
Switch(config)# interface
interface-id
Switch(config-if)# [no] ip arp inspection trust
In this example, dynamic ARP inspection is configured in VLAN 100, while interface G3/48 is set as
trust:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip arp inspection vlan 100
Switch(config)# interface g3/48
Switch(config-if)# ip arp inspection trust
Switch(config-if)# end
To configure ARP Inspection for non-DHCP systems, perform the following steps:
Step 1 Configure the ARP ACL with the valid static MAC-IP binding entries. By default, no ARP access lists
are defined. Define the ARP ACL using the arp access-list command: