13.2.5 Dynamic ARP checking
The following describes how to configure dynamic ARP inspection.
- <Structure of this section>
(1) Basic Settings
- Points to note
-
Set the VLAN for which basic dynamic ARP inspection is to be enabled.
Command examples
-
(config)# ip arp inspection vlan 2
Sets VLAN ID 2 as a VLAN subject to dynamic ARP inspection. Dynamic ARP inspection will be performed only for VLANs set by using this command.
- Notes
-
-
Specify the VLAN ID that was set by using the ip dhcp snooping vlan configuration command.
-
When you specify this command, the entries registered in the binding database by using the ip source binding configuration command also become subject to dynamic ARP inspection.
-
If you specify this command for a port belonging to the VLAN set by using the ip arp inspection vlan configuration command, dynamic ARP inspection will not be used to check the port.
-
(2) Configuring trust Ports
- Points to note
-
Set the port to which the DHCP server is connected as a trusted port.
Command examples
-
(config)# interface gigabitethernet 1/0/5
(config-if)# ip arp inspection trust
(config-if)# exit
Sets port 1/0/5 as a trusted port. Other ports are untrusted.
- Notes
-
If the ports that are set by using this command belong to a VLAN subject to dynamic ARP inspection, dynamic ARP inspection will not be performed for those ports.
(3) Configuring Optional Tests
- Points to note
-
Enable the source MAC address inspection (src-mac option) as an optional check of dynamic ARP inspection of the Switch.
Command examples
-
(config)# ip arp inspection validate src-mac
Enables the source MAC address inspection (src-mac option) as an optional check.