Cisco WS-C3560E-24PD-E Command Reference - Page 159
ip arp inspection filter vlan
View all Cisco WS-C3560E-24PD-E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 159 highlights
Chapter 2 Catalyst 3560 Switch Cisco IOS Commands ip arp inspection filter vlan ip arp inspection filter vlan Use the ip arp inspection filter vlan global configuration command to permit or deny Address Resolution Protocol (ARP) requests and responses from a host configured with a static IP address when dynamic ARP inspection is enabled. Use the no form of this command to return to the default settings. ip arp inspection filter arp-acl-name vlan vlan-range [static] no ip arp inspection filter arp-acl-name vlan vlan-range [static] Syntax Description arp-acl-name vlan-range static ARP access control list (ACL) name. VLAN number or range. You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094. (Optional) Specify static to treat implicit denies in the ARP ACL as explicit denies and to drop packets that do not match any previous clauses in the ACL. DHCP bindings are not used. If you do not specify this keyword, it means that there is no explicit deny in the ACL that denies the packet, and DHCP bindings determine whether a packet is permitted or denied if the packet does not match any clauses in the ACL. Defaults No defined ARP ACLs are applied to any VLAN. Command Modes Global configuration Command History Release 12.2(20)SE Modification This command was introduced. Usage Guidelines When an ARP ACL is applied to a VLAN for dynamic ARP inspection, only the ARP packets with IP-to-MAC address bindings are compared against the ACL. If the ACL permits a packet, the switch forwards it. All other packet types are bridged in the ingress VLAN without validation. If the switch denies a packet because of an explicit deny statement in the ACL, the packet is dropped. If the switch denies a packet because of an implicit deny statement, the packet is then compared against the list of DHCP bindings (unless the ACL is static, which means that packets are not compared against the bindings). Use the arp access-list acl-name global configuration command to define the ARP ACL or to add clauses to the end of a predefined list. 78-16405-05 Catalyst 3560 Switch Command Reference 2-127