Name: Cisco IE-3000-8TC
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

24-3

Cisco IE 3000 Switch Software Configuration Guide

OL-13018-03

Chapter 24 Configuring Dynamic ARP Inspection

Understanding Dynamic ARP Inspection

You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets

are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses

specified in the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global

configuration command. For more information, see the

“Performing Validation Checks” section on

page 24-12.

Interface Trust States and Network Security

Dynamic ARP inspection associates a trust state with each interface on the switch. Packets arriving on

trusted interfaces bypass all dynamic ARP inspection validation checks, and those arriving on untrusted

interfaces undergo the dynamic ARP inspection validation process.

In a typical network configuration, you configure all switch ports connected to host ports as untrusted

and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets

entering the network from a given switch bypass the security check. No other validation is needed at any

other place in the VLAN or in the network. You configure the trust setting by using the ip arp inspection

trust interface configuration command.

Caution Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be

trusted can result in a loss of connectivity.

In Figure 24-2, assume that both Switch A and Switch B are running dynamic ARP inspection on the

VLAN that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP

server connected to Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the

interface between Switch A and Switch B is untrusted, the ARP packets from Host 1 are dropped by

Switch B. Connectivity between Host 1 and Host 2 is lost.

Figure 24-2 ARP Packet Validation on a VLAN Enabled for Dynamic ARP Inspection

Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the

network. If Switch A is not running dynamic ARP inspection, Host 1 can easily poison the ARP cache

of Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can

occur even though Switch B is running dynamic ARP inspection.

DHCP server

Switch A Switch B

Host 1

Host 2

Port 1 Port 3

111751

Cisco IE-3000-8TC User Manual

Other manuals for Cisco IE-3000-8TC