Dynamic ARP inspection - can you use wildcards?

Unanswered Question
Apr 7th, 2008
User Badges:

We are using dynamic arp inspection on our 3750 switch infrastructure to make sure that the devices connected to the switches are making valid ARP requests. We don't really mind what MAC addresses the devices use, but it is very important that they only make ARP requests for the correct IPs (NB - this is not just an IP ACL issue).


For instance, we do not want a device to claim to be the VLAN default gateway IP.


We are successfully using DAI with pairs of MAC and IPs. The question is, can we use a wildcard for the MAC part of the pairing? This would simplify our user management greatly.


Daniel Kleeman

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Istvan_Rabai Mon, 04/07/2008 - 06:54
User Badges:
  • Gold, 750 points or more

Hi Daniel,


Yes, there is a mask for the mac address in the arp acls.


Example:


arp access-list [name]

permit ip host 192.168.1.0 0.0.0.255 mac xxxx.xxxx.xxxx yyyy.yyyy.yyyy


Where the y's mean the mask for the mac-addresses in hexadecimal format.


You will need to apply the arp access-list to a vlan like this:


ip arp inspection filter [acl-name] vlan x



Cheers:

Istvan

bridgepartners Mon, 04/07/2008 - 08:15
User Badges:

Very helpful, thanks.


Would this look right to you to allow any MAC address and only one IP:


permit ip host 192.168.1.33 0.0.0.0 mac 1a1a.2a2a.3a3a ffff.ffff.ffff


Thanks


Daniel


Istvan_Rabai Mon, 04/07/2008 - 08:38
User Badges:
  • Gold, 750 points or more

Hi Daniel,


I think so, but I'm not sure if this a mask or a wildcard mask.


You should test this before introducing it to a production network.


Also test, that 0000.0000.0000 will allow the exact mac-address only.


Thanks:

Istvan

Actions

This Discussion