Using VACLs in Your Network
To make sure DAI ports function properly, a permit arp-inspection any any ACE should be present in
Note
the PACL (ACL mapped to a DAI-enabled port).
For DAI to function with hosts that have static IP, make sure to add static DHCP-snooping binding
Note
entries on the port instead of a static ARP-inspection rule in the PACL (ACL mapped to a DAI-enabled
port).
This example shows how to enable dynamic ARP on port 1/48:
Console> (enable) set port security-acl 1/48 port-based
Warning: Vlan-based ACL features will be disabled on ports 1/48
ACL interface is set to port-based mode for port(s) 1/48.
Console> (enable) set security acl arp-inspection dynamic enable port 1/48
Dynamic ARP Inspection enabled on port 1/48.
Console> (enable) show security acl arp-inspection config
Match-mac feature is disabled.
Address-validation feature is disabled.
Dynamic ARP Inspection is disabled on vlan(s) 1-20,50.
Dynamic ARP Inspection is enabled on ports 1/48.
Dynamic ARP Inspection is disabled on ports 1/1-47,4/1-48,5/1-2.
Logging for Dynamic ARP Inspection rules is disabled.
Console> (enable) set security acl ip dai permit dhcp-snooping
Successfully configured DHCP Snooping for ACL dai. Use 'commit' command to save
changes.
Console> (enable) set security acl ip dai permit arp-inspection any any
dai editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) set security acl ip dai permit ip any any
dai editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) commit security acl dai
Console> (enable) ACL commit in progress.
ACL 'dai' successfully committed.
Console> (enable) set security acl map dai 1/48
Mapping in progress.
To configure DAI, perform this task in privileged mode:
Task
Step 1
Enable DAI on a VLAN.
Step 2
Enable or disable the inspection of the ARP
packets.
Step 3
Enable logging of the packets denied by DAI.
Step 4
Verify the DAI and DAI logging configuration.
This example shows how to enable DAI on VLAN 100:
Console> (enable) set security acl arp-inspection dynamic enable 100
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
15-42
Logging of static ARP rule
Note
denials is still controlled
by the rule (ACE) CPG.
Chapter 15
Command
set security acl arp-inspection dynamic {enable
| disable} [vlanlist | port mod/port]
set port arp-inspection portlist trust {enable |
disable}
set security acl arp-inspection dynamic log
{enable | disable}
show security acl arp-inspection config
Configuring Access Control
OL-8978-04