Leaflet
51
OL-11615-01
Switch(config)# arp access-list
acl-name
Switch(config-arp)# permit ip host
sender-ip mac
host
sender-mac
[log]
Switch(config-arp)# exit
Step 2 Apply the ARP ACL to the VLAN. By default, no defined ARP ACLs are applied to any VLAN.Use the
ip arp inspection filter command:
Switch(config)# ip arp inspection filter
arp-acl-name
vlan
vlan-range
[static]
Step 3 Configure the port trust state. By default, all interfaces are untrusted. Use the ip arp inspection trust
command. To make the interfaces untrusted, use the no ip arp inspection trust command:
Switch(config)# interface
interface-id
Switch(config-if)# [no] ip arp inspection trust
This example shows how to configure an ARP ACL called TrustedHosts, to permit ARP packets from a
host with IP address 170.1.1.2 and MAC address 2.2.2, to apply the ACL to VLAN 100, and to configure
interface fastethernet3/48 on the switch as untrusted:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# arp access-list TrustedHosts
Switch(config-arp-nacl)# permit ip host 170.1.1.2 mac host 2.2.2
Switch(config-arp-nacl)# exit
Switch(config)# ip arp inspection filter TrustedHosts vlan 100 static
Switch(config)# interface fa3/48
Switch(config-if)# no ip arp inspection trust
Switch(config-if)# end
To optionally configure DAI additional checks on destination MAC addresses, sender and target IP
addresses, or source MAC addresses, use the ip arp inspection validate global configuration command:
Switch(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]}
This example shows how to configure source mac validation. Packets are dropped and an error message
might be generated when the source address in the Ethernet header does not match the sender hardware
address in the ARP body:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip arp inspection validate src-mac
Switch(config)# exit
To change the default configuration of ARP packet rate limiting, perform the following steps:
Step 1 Use the ip arp inspection limit interface command to modify the default rate of 15 pps.
• Use the rate pps option to specify an upper limit for the number of incoming packets processed per
second. The range is 0 to 2048 pps.
• With the burst interval seconds option, you can specify the consecutive interval in seconds, over
which the interface is monitored for a high rate of ARP packets. The range is 1 to 15, and by default
the burst interval is set to 1 second.
• Use rate none to specify no upper limit for the rate of incoming ARP packets that can be processed.
This is equivalent to disabling ARP packet rate limiting:
Switch(config)# interface
interface-id
Switch(config-if)# [no] ip arp inspection limit {rate
pps
[burst interval
seconds
] |
none}
Switch(config-if)# exit