ARP Snooping on the L3 switch

David Lin · ‎03-28-2008

We are using non-DHCP in our network environment. I want to avoid ARP spoofing on the switches. But I found at least three approaches related it,

1. DAI+ARP ACL: ip arp inspection filter ACL vlan IDs

2. IP-MAC binding: arp IP address H.H.H arpa

3. IP-MAC-Port binding: such as

ip source binding H.H.H vlan 100 ip address interface Gi1/x

Is there any difference on these? Thank you.

padramas · ‎03-28-2008

Hello David,

You can also take a look at configuring port security if you want to restrict host connected to switch based on mac addresses

HTH

Padmanabhan

Istvan_Rabai · ‎03-28-2008

Hi David,

1 and 2. are together:

You configure an ARP ACL (static IP-MAC bindings)(2.)

Then you apply it to the arp inspection process (1.)

3. "ip source binding" is used in IP Source Guard to define IP-MAC bindings.

Cheers:

Istvan

David Lin · ‎03-28-2008

Hi Istvan,

Thanks for your reply.

option 1: I got the reference configration as below,

Switch(config)# arp access-list host2

Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host H.H.H

Switch(config-arp-acl)# exit

Switch(config)# ip arp inspection filter host2 vlan 1

For option 2 which I am using now, I just configured as below independently,

arp 1.1.1.1 H.H.H ARPA

So I thought 1 and 2 is separated.

Also, dose IP source guide help for avoiding ARP spoofing coz it binded MAC address as well.

Thanks.