EasyManuals Logo
Home>Cisco>Network Router>4500M

Cisco 4500M User Manual

Cisco 4500M
608 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #481 background imageLoading...
Page #481 background image
34-9
Software Configuration Guide—Release 12.2(25)EW
OL-6696-01
Chapter 34 Understanding and Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
The statistics will display as follows:
S2# show ip arp inspection statistics vlan 1
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ----------
1 1 1 1 0
Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- -------------------
1 1 0 0
Vlan Dest MAC Failures IP Validation Failures
---- ----------------- ----------------------
1 0 0
S2#
Scenario Two: One Switch Supports Dynamic ARP Inspection
If switch S2 does not support DAI or DHCP snooping, configuring interface fa6/3 as trusted would leave
a security hole because both S1 and H1 could be attacked by either S2 or H2. To prevent this possibility,
you must configure interface fa6/3 as untrusted. To permit ARP packets from H2, you must set up an
ARP ACL and apply it to VLAN 1. If the IP address of H2 is not static, such that it is impossible to apply
the ACL configuration on S1, S1 and S2 must be separated at Layer 3, that is, have a router routing
packets between S1 and S2.
To set up an ARP ACL on switch S1, follow these steps:
Step 1 Set up the access list to permit the IP address 1.1.1.1 and the MAC address 0001.0001.0001, and verify
the configuration:
S1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
S1(config)# arp access-list H2
S1(config-arp-nacl)# permit ip host 1.1.1.1 mac host 1.1.1
S1(config-arp-nacl)# end
S1# show arp access-list
ARP access list H2
permit ip host 1.1.1.1 mac host 0001.0001.0001
Step 2 Apply the ACL to VLAN 1, and verify the configuration:
S1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
S1(config)# ip arp inspection filter H2 vlan 1
S1(config)# end
S1#
S1# show ip arp inspection vlan 1
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
1 Enabled Active H2 No

Table of Contents

Other manuals for Cisco 4500M

Preview: Command Reference
Command Reference578 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco 4500M and is the answer not in the manual?

Cisco 4500M Specifications

General IconGeneral
BrandCisco
Model4500M
CategoryNetwork Router
LanguageEnglish

Related product manuals