Dynamic ARP inspection - can you use wildcards?

bridgepartners · ‎04-07-2008

We are using dynamic arp inspection on our 3750 switch infrastructure to make sure that the devices connected to the switches are making valid ARP requests. We don't really mind what MAC addresses the devices use, but it is very important that they only make ARP requests for the correct IPs (NB - this is not just an IP ACL issue).

For instance, we do not want a device to claim to be the VLAN default gateway IP.

We are successfully using DAI with pairs of MAC and IPs. The question is, can we use a wildcard for the MAC part of the pairing? This would simplify our user management greatly.

Daniel Kleeman

Istvan_Rabai · ‎04-07-2008

Hi Daniel,

Yes, there is a mask for the mac address in the arp acls.

Example:

arp access-list [name]

permit ip host 192.168.1.0 0.0.0.255 mac xxxx.xxxx.xxxx yyyy.yyyy.yyyy

Where the y's mean the mask for the mac-addresses in hexadecimal format.

You will need to apply the arp access-list to a vlan like this:

ip arp inspection filter [acl-name] vlan x

Cheers:

Istvan

bridgepartners · ‎04-07-2008

Very helpful, thanks.

Would this look right to you to allow any MAC address and only one IP:

permit ip host 192.168.1.33 0.0.0.0 mac 1a1a.2a2a.3a3a ffff.ffff.ffff

Thanks

Daniel

Istvan_Rabai · ‎04-07-2008

Hi Daniel,

I think so, but I'm not sure if this a mask or a wildcard mask.

You should test this before introducing it to a production network.

Also test, that 0000.0000.0000 will allow the exact mac-address only.

Thanks:

Istvan