34-5
Software Configuration Guide—Release 12.2(25)EW
OL-6696-01
Chapter 34 Understanding and Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
This section includes these scenarios:
• Scenario One: Two Switches Support Dynamic ARP Inspection, page 34-5
• Scenario Two: One Switch Supports Dynamic ARP Inspection, page 34-9
Scenario One: Two Switches Support Dynamic ARP Inspection
Assume that there are two switches, S1 and S2 with hosts H1 and H2 attached, respectively. Both S1 and
S2 are running DAI on VLAN 1 where the hosts are located. The S1 interface fa6/3 is connected to the
S2 interface fa3/3, and a DHCP server is connected to S1. Both hosts acquire their IP addresses from the
same DHCP server. Therefore, S1 has the binding for H1 and H2, and S2 has the binding for host H2.
To make the setup effective, you must configure the interface fa3/3 on S2 to be trusted. (You can leave
interface fa6/3 on S1 as untrusted.) If the DHCP server is moved from S1 to a different location, however,
the configuration will not work. To ensure that this setup works permanently, without compromising
security, you must configure both interfaces fa6/3 on S1 and fa3/3 on S2 as trusted.
Configuring Switch S1
To enable DAI and configure fa6/3 on S1 as trusted, follow these steps:
Step 1 Verify the connection between switches S1 and S2:
S1# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
S2 Fas 6/3 177 R S I WS-C4006 Fas 3/3
S1#
Step 2 Enable DAI on VLAN 1 and verify the configuration:
S1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
S1(config)# ip arp inspection vlan 1
S1(config)# end
S1# show ip arp inspection vlan 1
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
1 Enabled Active
Vlan ACL Logging DHCP Logging
---- ----------- ------------
1 Deny Deny
S1#
To Next Page
Loading...
Need help?
General
