04-07-2008 06:30 AM - edited 03-05-2019 10:14 PM
We are using dynamic arp inspection on our 3750 switch infrastructure to make sure that the devices connected to the switches are making valid ARP requests. We don't really mind what MAC addresses the devices use, but it is very important that they only make ARP requests for the correct IPs (NB - this is not just an IP ACL issue).
For instance, we do not want a device to claim to be the VLAN default gateway IP.
We are successfully using DAI with pairs of MAC and IPs. The question is, can we use a wildcard for the MAC part of the pairing? This would simplify our user management greatly.
Daniel Kleeman
04-07-2008 06:54 AM
Hi Daniel,
Yes, there is a mask for the mac address in the arp acls.
Example:
arp access-list [name]
permit ip host 192.168.1.0 0.0.0.255 mac xxxx.xxxx.xxxx yyyy.yyyy.yyyy
Where the y's mean the mask for the mac-addresses in hexadecimal format.
You will need to apply the arp access-list to a vlan like this:
ip arp inspection filter [acl-name] vlan x
Cheers:
Istvan
04-07-2008 08:15 AM
Very helpful, thanks.
Would this look right to you to allow any MAC address and only one IP:
permit ip host 192.168.1.33 0.0.0.0 mac 1a1a.2a2a.3a3a ffff.ffff.ffff
Thanks
Daniel
04-07-2008 08:38 AM
Hi Daniel,
I think so, but I'm not sure if this a mask or a wildcard mask.
You should test this before introducing it to a production network.
Also test, that 0000.0000.0000 will allow the exact mac-address only.
Thanks:
Istvan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide