User's Manual
25-10
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 25 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP 
ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global 
configuration command.
This example shows how to configure an ARP ACL called host
2 on Switch A, to permit ARP packets 
from Host 2 (IP address 1.1.1.1 and MAC address 0001.0001.0001), to apply the ACL to VLAN 1, and 
to configure port 1 on Switch A as untrusted:
Switch(config)# arp access-list host2
Switch(config-arp-acl)# permit ip
 host 1.1.1.1 mac host 1.1.1
Switch(config-arp-acl)# exit
Switch(config)# ip arp inspection
 filter host2 vlan 1
Switch(config)# interface gigabit
ethernet0/1
Switch(config-if)# no ip arp insp
ection trust
Limiting the Rate of Incoming ARP Packets
The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of 
incoming ARP packets is rate-limited to prevent a denial-of-service attack.
When the rate of incoming ARP packets exceeds the con
figured limit, the switch places the port in the 
error-disabled state. The port remains in that state until you enable error-disabled recovery so that ports 
automatically emerge from this state after a specified timeout period.
Note Unless you configure a rate limit on an interface, changing the trust state of the interface also changes 
its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains 
the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface 
configuration command, the interface reverts to its default rate limit.
Step 7
no ip arp inspection trust  Configure the Switch A interface that is connected to Switch B as 
untrusted.
By default, all interfaces are untrusted.
For untrusted interfaces, the switch intercepts all ARP requests 
an
d responses. It verifies that the intercepted packets have valid 
IP-to-MAC address bindings before updating the local cache and 
before forwarding the packet to the appropriate destination. The 
switch drops invalid packets and logs them in the log buffer 
according to the logging configuration specified with the ip arp 
inspection vlan logging global configuration command. For more 
information, see the “Configuring the Log Buffer” section on 
page 25-13.
Step 8
end Return to privileged EXEC mode.
Step 9
show arp access-list [acl-name]
show ip arp inspection vlan vl
an-range
show ip arp inspection interfaces 
Verify your entries.
Step 10
copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose










