Use the arp access-list [acl-name] command from the global configuration mode on the switch to define an
ARP ACL and apply the ARP ACL to the specified VLANs on the switch.
Example 4-12 shows how to configure an ARP ACL to permit ARP packets from host IP address 10.1.1.11 with
MAC address 0011.0011.0011 and how to apply this ACL to VLAN 5 with the interface configured as untrusted.
Example 4-12. DAI in a Non-DHCP Environment Configuration Example
Switch(config)# arp access-list arpacl
Switch(config-arp-acl)# permit ip host 10.1.1.11 mac host 0011.0011.0011
Switch(config-arp-acl)# exit
Switch(config)# ip arp inspection filter arpacl vlan 5
Switch(config)# interface GigabitEthernet1/0/2
Switch(config-if)# no ip arp inspection trust
Use the show ip arp inspection vlan [vlan# or range] command to verify the configuration.
Rate Limiting Incoming ARP Packets
Because the switch CPU performs the DAI, there is a potential for an ARP flooding denial-of-service (DoS) attack
resulting in performance degradation. To prevent this, ARP packets can be rate limited using the ip arp
inspection limit command from the interface configuration mode to limit the rate of incoming ARP requests
and responses.
Pages:
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196