cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4241
Views
0
Helpful
3
Replies

ARP Snooping on the L3 switch

David Lin
Level 1
Level 1

We are using non-DHCP in our network environment. I want to avoid ARP spoofing on the switches. But I found at least three approaches related it,

1. DAI+ARP ACL: ip arp inspection filter ACL vlan IDs

2. IP-MAC binding: arp IP address H.H.H arpa

3. IP-MAC-Port binding: such as

ip source binding H.H.H vlan 100 ip address interface Gi1/x

Is there any difference on these? Thank you.

3 Replies 3

padramas
Cisco Employee
Cisco Employee

Hello David,

You can also take a look at configuring port security if you want to restrict host connected to switch based on mac addresses

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swtrafc.html#wp1038501

HTH

Padmanabhan

Istvan_Rabai
Level 7
Level 7

Hi David,

1 and 2. are together:

You configure an ARP ACL (static IP-MAC bindings)(2.)

Then you apply it to the arp inspection process (1.)

3. "ip source binding" is used in IP Source Guard to define IP-MAC bindings.

Cheers:

Istvan

Hi Istvan,

Thanks for your reply.

option 1: I got the reference configration as below,

Switch(config)# arp access-list host2

Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host H.H.H

Switch(config-arp-acl)# exit

Switch(config)# ip arp inspection filter host2 vlan 1

For option 2 which I am using now, I just configured as below independently,

arp 1.1.1.1 H.H.H ARPA

So I thought 1 and 2 is separated.

Also, dose IP source guide help for avoiding ARP spoofing coz it binded MAC address as well.

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: