32-6
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter 32 Understanding and Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
For information on how to configure dynamic ARP inspection when only one switch supports the
feature, see the “Configuring ARP ACLs for Non-DHCP Environments” section on page 32-10.
To configure dynamic ARP inspection, perform this task on both switches:
To disable dynamic ARP inspection, use the no ip arp inspection vlan vlan-range global configuration
command. To return the interfaces to an untrusted state, use the no ip arp inspection trust interface
configuration command.
Command Purpose
Step 1
Switch# show cdp neighbors
Verifies the connection between the switches.
Step 2
Switch# configure terminal
Enters global configuration mode.
Step 3
Switch(config)# [no] ip arp inspection vlan
vlan-range
Enables dynamic ARP inspection on a per-VLAN basis. By
default, dynamic ARP inspection is disabled on all VLANs.
For vlan-range, specify a single VLAN identified by VLAN ID
number, a range of VLANs separated by a hyphen, or a series of
VLANs separated by a comma. The range is 1 to 4094.
Specify the same VLAN ID for both switches.
Step 4
Switch(config)# interface
interface-id
Specifies the interface connected to the other switch, and enter
interface configuration mode.
Step 5
Switch(config-if)# ip arp inspection trust
Configures the connection between the switches as trusted.
By default, all interfaces are untrusted.
The switch does not check ARP packets that it receives from the
other switch on the trusted interface. It simply forwards the
packets.
For untrusted interfaces, the switch intercepts all ARP requests
and responses. It verifies that the intercepted packets have valid
IP-to-MAC address bindings before updating the local cache and
before forwarding the packet to the appropriate destination. The
switch drops invalid packets and logs them in the log buffer
according to the logging configuration specified with the
ip arp inspection vlan logging global configuration command.
For more information, see the “Configuring the Log Buffer”
section on page 32-14.
Step 6
Switch(config-if)# end
Returns to privileged EXEC mode.
Step 7
Switch# show ip arp inspection interfaces
Switch# show ip arp inspection vlan
vlan-range
Verifies the dynamic ARP inspection configuration.
Step 8
Switch# show ip dhcp snooping binding
Verifies the DHCP bindings.
Step 9
Switch# show ip arp inspection statistics
vlan
vlan-range
Checks the dynamic ARP inspection statistics.
Step 10
Switch# copy running-config startup-config
(Optional) Saves your entries in the configuration file.
