cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
986
Views
15
Helpful
8
Replies

How config dynamic arp inspection for 300 or 500 series ?

Hi Cisco Expert ,

How config dynamic arp inspection for 300 or 500 series ? Do you have clearly document for this solution ? Could you please to share ?

i find in admin guide it's no simple to do

Thank you for kindly support.

8 Replies 8

Tom Watts
VIP Alumni
VIP Alumni

Hi Siriphan, using the command line is the easiest way to deal with this.

You need to understand the difference between trusted  and untrusted interfaces. The untrusted interfaces are the ports that  will be inspected and if not specified within the arp entry list then  will get dropped.

Any port you do not want arp inspection to be a part of, you need to trust that port.

Below is how to make a port trusted.

configure terminal

interface fe1

ip arp inspection trust

Once you establish the trusted ports, you can build your arp list.

configure terminal

ip ap inspection list create ARP_INSPECTION  (the word after the create can be anything you want)

ip 192.168.100.3 mac-address 64:31:50:1c:50:a1

This  is the example of adding 1 entry to your arp list. You can add128 of  these entries. These IP/mac binds are the devices that are "safe" from  being dropped.

Lastly, you need to enable the arp  inspection globally. You DO NOT want to toggle the arp inspection  without establishing your interfaces or bind list. If you do not  establish your trust interfaces and list first, you will lock down any  connection through the switch and essentially brick it.

To toggle the global arp inspection

configure terminal

ip arp inspection

Once you're done, save your running config to the start up config.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hi Tom, sorry if my question is not about your Post, but i have some problem to configure Nat Overload on 2 routers, i dont know if you could help me with this.

     The problem is that i cant configure NAT overload on 2 routers.  I can establish NAT on one router, and i can ping from the inside net of the router 1  to the inside net of the router 2, nat operate correctly, the problem is when i confugure NAT on the second router, the idea is configure NAT on the router 2 and comunicate the inside net of the router 2 ( by using NAT) with the inside net of the router 1, at this moment the comunication between both inside net is broke.

Thanks in advance

Hi Tom,

thany you for yrs answer. But in cast I already trust interface it connect with dhcp server and inspection trust for access port it enough ? I must mac-address on access port like you did agian ?

I want dynamic not static arp inspection.
Dhcp snooping must require on this config ?

Sent from Cisco Technical Support Android App

Hi Siri, if you make an interface trusted, whatever comes through that interface is not subject to the arp inspection.

Let's say the dhcp server is port 1 and it is trusted.

Dhcp client (your computer) connects to port 2 which is untrusted.

Without adding the entry for port 2 how I put above, that port will drop the client connection because it is not on the arp inspection list.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hi Tom,
thank you for kindly support.
I'm not understand Why we no need to config dhcp snooping ? If we config only trust on dhcp server port and untrust on access port. If hacker fix static ip or user arp attack or man in the middle tool like NETCUT. They still attack that network right ? If yes how to protect ? I want to client it fix ip address access in the network every client must get dhcp and want to protect man in the middle attack.Thank you for kindly support again.


Sent from Cisco Technical Support Android App

Hi Siri, no. Because arp inspection uses ip address + mac address. You can use DHCP snooping for other security... this is true. But if there is a MAC or IP address not configured within the switch, that connecting host is dropped.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hi Tom,

if we want to protect when client fix ip address and use man in the middle tools.How to protect ?
I think you upper config for static arp inspection right ? I don't want to fix mac in every port. Thank you for kindly support.


Sent from Cisco Technical Support Android App

Hi Siri DHCP snooping is specifically for that.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X