Gateway Security

keynet · ‎09-08-2008

I want security configure of a switch-link to the gateway. what is the correct configuration?

- ip arp inspection ?

- ip source binding ?

The IP address with the MAC address of the gateway must be sure.

What must I all configure?

all the best

Urs

Marwan ALshawi · ‎09-08-2008

hi DANIEL

ip arp inspection relies on the entries in the DHCP snooping binding database to

verify IP-to-MAC address bindings. Configure each secure interface as trusted using the

ip arp inspection trust interface configuration command. The trusted interfaces bypass

the ARP inspection validation checks, and all other packets are subject to inspection when

they arrive on untrusted interfaces.

In non-DHCP environments, because there is no DHCP snooping binding database, the

DAI can validate ARP packets against a user-defined ARP ACL to map hosts with a

statically configured IP address to their MAC address, so this one aplly on ur case !!

Use the arp access-list [acl-name] command from the global configuration mode on

the switch to define an ARP ACL and apply the ARP ACL to the specified VLANs on the

switch

have a look at the following example, which configure an ARP ACL to permit ARP packets from host IP

address 10.1.1.11 with MAC address 0011.0011.0011 and how to apply this ACL to VLAN 5

with the interface configured as untrusted

Switch(config)# arp access-list arpacl

Switch(config-arp-acl)# permit ip host 10.1.1.11 mac host 0011.0011.0011

Switch(config-arp-acl)# exit

Switch(config)# ip arp inspection filter arpacl vlan 5

Switch(config)# interface GigabitEthernet1/0/2

Switch(config-if)# no ip arp inspection trust

i think this will solve ur issue :)

good luck

if helpful Rate