ip arp inspection

Enables Dynamic ARP Inspection (DAI) on a VLAN.

Syntax

ip arp inspection
no ip arp inspection

Command Default

DAI is disabled.

Modes

VLAN configuration mode

Usage Guidelines

On untrusted interfaces of DAI-enabled VLANs, incoming ARP packets from permitted IP/MAC addresses are accepted only if all of the following steps were performed:
  • Create the ACL, using the arp access-list command.
  • In the ACL, create one or more rules, using the permit ip host command. Each rule specifies an IP/MAC address-pair.
  • Apply the ACL to one or more VLANs, using the ip arp inspection filter command.
  • Enable DAI on such VLANs, using the ip arp inspection command.

The no form of the command disables Dynamic ARP Inspection.

Examples

The following example creates an ARP access-list, applies it to VLAN 200, and enables DAI.

device# configure terminal
device(config)# arp access-list ARP_ACL_01
device(config-arp-acl)# permit ip host 1.1.1.1 mac host 0020.2222.2222
device(config-arp-acl)# permit ip host 1.1.1.2 mac host 0020.2222.2223
device(config-arp-acl)# exit
device(config)# vlan 200
device(conf-vlan-200)# ip arp inspection filter ARP_ACL_01
device(conf-vlan-200)# ip arp inspection