03-06-2013 05:48 AM
Hi Cisco Expert ,
How config dynamic arp inspection for 300 or 500 series ? Do you have clearly document for this solution ? Could you please to share ?
i find in admin guide it's no simple to do
Thank you for kindly support.
03-06-2013 07:26 AM
Hi Siriphan, using the command line is the easiest way to deal with this.
You need to understand the difference between trusted and untrusted interfaces. The untrusted interfaces are the ports that will be inspected and if not specified within the arp entry list then will get dropped.
Any port you do not want arp inspection to be a part of, you need to trust that port.
Below is how to make a port trusted.
configure terminal
interface fe1
ip arp inspection trust
Once you establish the trusted ports, you can build your arp list.
configure terminal
ip ap inspection list create ARP_INSPECTION (the word after the create can be anything you want)
ip 192.168.100.3 mac-address 64:31:50:1c:50:a1
This is the example of adding 1 entry to your arp list. You can add128 of these entries. These IP/mac binds are the devices that are "safe" from being dropped.
Lastly, you need to enable the arp inspection globally. You DO NOT want to toggle the arp inspection without establishing your interfaces or bind list. If you do not establish your trust interfaces and list first, you will lock down any connection through the switch and essentially brick it.
To toggle the global arp inspection
configure terminal
ip arp inspection
Once you're done, save your running config to the start up config.
-Tom
Please mark answered for helpful posts
03-06-2013 10:00 AM
Hi Tom, sorry if my question is not about your Post, but i have some problem to configure Nat Overload on 2 routers, i dont know if you could help me with this.
The problem is that i cant configure NAT overload on 2 routers. I can establish NAT on one router, and i can ping from the inside net of the router 1 to the inside net of the router 2, nat operate correctly, the problem is when i confugure NAT on the second router, the idea is configure NAT on the router 2 and comunicate the inside net of the router 2 ( by using NAT) with the inside net of the router 1, at this moment the comunication between both inside net is broke.
Thanks in advance
03-07-2013 08:17 PM
Hi Tom,
thany you for yrs answer. But in cast I already trust interface it connect with dhcp server and inspection trust for access port it enough ? I must mac-address on access port like you did agian ?
I want dynamic not static arp inspection.
Dhcp snooping must require on this config ?
Sent from Cisco Technical Support Android App
03-08-2013 07:20 AM
Hi Siri, if you make an interface trusted, whatever comes through that interface is not subject to the arp inspection.
Let's say the dhcp server is port 1 and it is trusted.
Dhcp client (your computer) connects to port 2 which is untrusted.
Without adding the entry for port 2 how I put above, that port will drop the client connection because it is not on the arp inspection list.
-Tom
Please mark answered for helpful posts
03-08-2013 07:32 AM
Hi Tom,
thank you for kindly support.
I'm not understand Why we no need to config dhcp snooping ? If we config only trust on dhcp server port and untrust on access port. If hacker fix static ip or user arp attack or man in the middle tool like NETCUT. They still attack that network right ? If yes how to protect ? I want to client it fix ip address access in the network every client must get dhcp and want to protect man in the middle attack.Thank you for kindly support again.
Sent from Cisco Technical Support Android App
03-08-2013 07:37 AM
Hi Siri, no. Because arp inspection uses ip address + mac address. You can use DHCP snooping for other security... this is true. But if there is a MAC or IP address not configured within the switch, that connecting host is dropped.
-Tom
Please mark answered for helpful posts
03-08-2013 06:35 PM
Hi Tom,
if we want to protect when client fix ip address and use man in the middle tools.How to protect ?
I think you upper config for static arp inspection right ? I don't want to fix mac in every port. Thank you for kindly support.
Sent from Cisco Technical Support Android App
03-10-2013 06:01 AM
Hi Siri DHCP snooping is specifically for that.
-Tom
Please mark answered for helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide