Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ARP Snooping on the L3 switch

We are using non-DHCP in our network environment. I want to avoid ARP spoofing on the switches. But I found at least three approaches related it,

1. DAI+ARP ACL: ip arp inspection filter ACL vlan IDs

2. IP-MAC binding: arp IP address H.H.H arpa

3. IP-MAC-Port binding: such as

ip source binding H.H.H vlan 100 ip address interface Gi1/x

Is there any difference on these? Thank you.

3 REPLIES
Cisco Employee

Re: ARP Snooping on the L3 switch

Hello David,

You can also take a look at configuring port security if you want to restrict host connected to switch based on mac addresses

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swtrafc.html#wp1038501

HTH

Padmanabhan

Re: ARP Snooping on the L3 switch

Hi David,

1 and 2. are together:

You configure an ARP ACL (static IP-MAC bindings)(2.)

Then you apply it to the arp inspection process (1.)

3. "ip source binding" is used in IP Source Guard to define IP-MAC bindings.

Cheers:

Istvan

New Member

Re: ARP Snooping on the L3 switch

Hi Istvan,

Thanks for your reply.

option 1: I got the reference configration as below,

Switch(config)# arp access-list host2

Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host H.H.H

Switch(config-arp-acl)# exit

Switch(config)# ip arp inspection filter host2 vlan 1

For option 2 which I am using now, I just configured as below independently,

arp 1.1.1.1 H.H.H ARPA

So I thought 1 and 2 is separated.

Also, dose IP source guide help for avoiding ARP spoofing coz it binded MAC address as well.

Thanks.

2445
Views
0
Helpful
3
Replies
CreatePlease to create content