Manualshelf

Technical Manual

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 3560E-12SD-E Switch
12345678910
certain man−in−the−middle attacks.
Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The switch
performs these activities:
Intercepts all ARP requests and responses on untrusted ports
Verifies that each of these intercepted packets has a valid IP−to−MAC address binding before it
updates the local ARP cache or before it forwards the packet to the appropriate destination
Drops invalid ARP packets
Dynamic ARP inspection determines the validity of an ARP packet based on valid IP−to−MAC address
bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP
snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a
trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch
forwards the packet only if it is valid.
In non−DHCP environments, dynamic ARP inspection can validate ARP packets against user−configured
ARP ACLs for hosts with statically configured IP addresses. You can issue the arp access−list global
configuration command in order to define an ARP ACL. ARP ACLs take precedence over entries in the
DHCP snooping binding database. The switch uses ACLs only if you issue the ip arp inspection filter vlan
global configuration command in order to configure the ACLs. The switch first compares ARP packets to
user−configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even
if a valid binding exists in the database populated by DHCP snooping.
Refer to Dynamic ARP Inspection Configuration Guidelines for the guidelines on how to configure dynamic
ARP inspection.
The ip arp inspection vlan global configuration command is issued in order to enable dynamic ARP
inspection on a per−VLAN basis. Here, only the FastEthernet interface 1/0/3 connected to the DHCP server is
configured as trusted with the ip arp inspection trust command. DHCP snooping must be enabled in order to
permit ARP packets that have dynamically assigned IP addresses. See the DHCP Snooping section of this
document for DHCP snooping configuration information.
Dynamic ARP Inspection
Cat3750#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cat3750(config)#ip arp inspection vlan 1
!−−− Enables dynamic ARP inspection on the VLAN.
Cat3750(config)#interface fastEthernet 1/0/3
Cat3750(config−if)#ip arp inspection trust
!−−− Configures the interface connected to the DHCP server as trusted.
Cat3750#show ip arp inspection vlan 1
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
−−−− −−−−−−−−−−−−− −−−−−−−−− −−−−−−−−− −−−−−−−−−−
1 Enabled Active
Vlan ACL Logging DHCP Logging
−−−− −−−−−−−−−−− −−−−−−−−−−−−
1 Deny Deny