ARP Snooping on the L3 switch

Unanswered Question
Mar 28th, 2008

We are using non-DHCP in our network environment. I want to avoid ARP spoofing on the switches. But I found at least three approaches related it,

1. DAI+ARP ACL: ip arp inspection filter ACL vlan IDs

2. IP-MAC binding: arp IP address H.H.H arpa

3. IP-MAC-Port binding: such as

ip source binding H.H.H vlan 100 ip address interface Gi1/x

Is there any difference on these? Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Istvan_Rabai Fri, 03/28/2008 - 10:13

Hi David,

1 and 2. are together:

You configure an ARP ACL (static IP-MAC bindings)(2.)

Then you apply it to the arp inspection process (1.)

3. "ip source binding" is used in IP Source Guard to define IP-MAC bindings.



David Lin Fri, 03/28/2008 - 11:34

Hi Istvan,

Thanks for your reply.

option 1: I got the reference configration as below,

Switch(config)# arp access-list host2

Switch(config-arp-acl)# permit ip host mac host H.H.H

Switch(config-arp-acl)# exit

Switch(config)# ip arp inspection filter host2 vlan 1

For option 2 which I am using now, I just configured as below independently,

arp H.H.H ARPA

So I thought 1 and 2 is separated.

Also, dose IP source guide help for avoiding ARP spoofing coz it binded MAC address as well.



This Discussion