Leaflet
51
OL-11615-01
Switch(config)# arp access-list 
acl-name
Switch(config-arp)# permit ip host 
sender-ip mac
 host 
sender-mac
 [log]
Switch(config-arp)# exit
Step 2 Apply the ARP ACL to the VLAN. By default, no defined ARP ACLs are applied to any VLAN.Use the 
ip arp inspection filter command:
Switch(config)# ip arp inspection filter 
arp-acl-name
 vlan 
vlan-range
 [static]
Step 3 Configure the port trust state. By default, all interfaces are untrusted. Use the ip arp inspection trust 
command. To make the interfaces untrusted, use the no ip arp inspection trust command:
Switch(config)# interface 
interface-id
Switch(config-if)# [no] ip arp inspection trust
This example shows how to configure an ARP ACL called TrustedHosts, to permit ARP packets from a 
host with IP address 170.1.1.2 and MAC address 2.2.2, to apply the ACL to VLAN 100, and to configure 
interface fastethernet3/48 on the switch as untrusted:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# arp access-list TrustedHosts
Switch(config-arp-nacl)# permit ip host 170.1.1.2 mac host 2.2.2
Switch(config-arp-nacl)# exit
Switch(config)# ip arp inspection filter TrustedHosts vlan 100 static
Switch(config)# interface fa3/48
Switch(config-if)# no ip arp inspection trust
Switch(config-if)# end
To optionally configure DAI additional checks on destination MAC addresses, sender and target IP 
addresses, or source MAC addresses, use the ip arp inspection validate global configuration command:
Switch(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]}
This example shows how to configure source mac validation. Packets are dropped and an error message 
might be generated when the source address in the Ethernet header does not match the sender hardware 
address in the ARP body:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip arp inspection validate src-mac
Switch(config)# exit
To change the default configuration of ARP packet rate limiting, perform the following steps:
Step 1 Use the ip arp inspection limit interface command to modify the default rate of 15 pps. 
  • Use the rate pps option to specify an upper limit for the number of incoming packets processed per 
second. The range is 0 to 2048 pps. 
  • With the burst interval seconds option, you can specify the consecutive interval in seconds, over 
which the interface is monitored for a high rate of ARP packets. The range is 1 to 15, and by default 
the burst interval is set to 1 second. 
  • Use rate none to specify no upper limit for the rate of incoming ARP packets that can be processed. 
This is equivalent to disabling ARP packet rate limiting:
Switch(config)# interface 
interface-id
Switch(config-if)# [no] ip arp inspection limit {rate 
pps
 [burst interval 
seconds
] | 
none}
Switch(config-if)# exit










