Shulou(Shulou.com)06/01 Report--

Ip dhcp snooping + ip arp inspection

1.Ip arp inspection

Configuring Dynamic ARP Inspection in DHCP Environments

This example shows how to configure dynamic ARP inspection on Switch A in VLAN 1. You would perform a similar procedure on Switch B:

Switch(config)# ip arp inspection vlan 1

Switch(config)# interface gigabitethernet 0/1

Switch(config-if)# ip arp inspection trust

Other untrusted ports need to judge whether the ARP packet is legitimate according to the mac and ip mapping table obtained from dhcp snooping.

Configuring ARP ACLs for Non-DHCP Environments

This example shows how to configure an ARP ACL called host2 on Switch A, to permit ARP packets from Host 2 (IP address 1.1.1.1 and MAC address 0001.0001.0001), to apply the ACL to VLAN 1, and to configure port 1 on Switch A as untrusted:

Switch(config)# arp access-list host2

Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host 1.1.1

Switch(config-arp-acl)# exit

Switch(config)# ip arp inspection filter host2 vlan 1

Switch(config)# interface gigabitethernet 0/1

Switch(config-if)# no ip arp inspection trust//trust was configured before, now it is untrusted

Port1 is an untrusted port, but allows ARP packets from host2 to pass through the mapping table without matching Ip to MAC. Is this table obtained through dhcp snooping, and host2 is statically configured not Ip, not dynamically obtained through dhcp, so the table has no relevant records. You cannot rely on this to detect ARP packets.

2.ip dhcp snooping

Trusted ports can initiate all DHCP messages, while untrusted ports can only initiate request messages. This feature can be used in conjunction with DHCP Option 82, which inserts the port ID of a DHCP request into a DHCP request packet.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.