Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6885
Views
0
Helpful
3
Replies

Block ARP traffic on interface

3em0nd001
Level 1
Level 1

‎12-04-2016 11:32 PM - edited ‎03-08-2019 08:26 AM

Hello!

Me shall need block ARP traffic on Interface.

I try follow command:

conf t

int gi0/8

ip access-group 100 in

no arp arpa

I create ACL

access-list 100 permit ip 172.20.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.20.0.0 0.0.255.255

But, if I try

arping to my gi0/8 192.168.1.1 I can take MAC address.

How block ARP on interface?

Labels:
0 Helpful
3 Replies 3

Mark Malone
VIP Alumni
VIP Alumni

‎12-05-2016 12:34 AM

Here is a guide on how to block arp at switch level , depending on your model you may support the feature

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3550-series-switches/64844-mac-acl-block-arp.html

0 Helpful

3em0nd001
Level 1
Level 1
In response to Mark Malone

‎12-05-2016 01:16 AM

It's strangely, but not working. I set in Cisco 2960:

swith(config)#mac access-list extended ARP_Block

swith(config-ext-macl)#no permit host 0040.5a12.b066 any 0x806 0x0

swith(config-ext-macl)#no permit any host 0040.5a12.b066 0x806 0x0

int gi0/8

mac access-group ARP_Block in

And after that arping working.

Me need at host 0040.5a12.b066 blocked all ARP traffic, exclude only ip traffic to network 172.20.0.0 /16

What I'm doing wrong?

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to 3em0nd001

‎12-05-2016 01:28 AM

If you need to block it as the doc shows you allow the arp in acl but action it to drop , remove your no permit and post all the configuration with the vlan access-map too

Configure

In this section, you are presented with the information to configure the features described in this document.

In order to configure MAC address filtering and apply it to the VLAN interface, you must complete several steps. First, you create the VLAN access maps for each type of traffic that must be filtered. You select a MAC address or range of MAC addresses for blocking. You also need to identify the ARP traffic in the access list. In accordance with RFC 826 leavingcisco.com, an ARP frame uses the Ethernet protocol type of value 0x806. You can filter on this protocol type as interesting traffic for the access list.

  1. In global configuration mode, create a named MAC extended access list with the name ARP_Packet.

    Enter the mac access-list extended ACL_name command and add the host MAC address or addresses that you want to block.

    Switch(config)#mac access-list extended ARP_Packet
Switch(config-ext-nacl)#permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
Switch(config-ext-nacl)#end
Switch(config)#

  2. Enter the vlan access-map map_ name command and the action drop command, which is the action to perform.

    The vlan access-map map_ name command uses the MAC access list that you created to block ARP traffic from the hosts.

    Switch(config)#vlan access-map block_arp 10

Switch (config-access-map)#action drop
Switch (config-access-map)#match mac address ARP_Packet

  3. Add an additional line to the same VLAN access map in order to forward the rest of the traffic.

    Switch(config)#vlan access-map block_arp 20
Switch (config-access-map)#action forward

  4. Choose a VLAN access map and apply it to a VLAN interface.

    Enter the VLAN filter vlan_access_map_name vlan-list vlan_number command.

    Switch(config)#vlan filter block_arp vlan-list 2
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card