ip arp inspection filter
Applies an Address Resolution Protocol (ARP) ACL to a VLAN, which is one of the steps implementing Dynamic ARP Inspection (DAI) on a VLAN.
Syntax
ip arp inspection filter
ACL-name
no ip arp inspection filter
Command Default
No ARP ACL is applied.
Parameters
- ACL-name
- Specifies which ACL is applied to the VLAN or interface.
Modes
VLAN configuration mode
Interface subtype configuration mode
Usage Guidelines
On untrusted interfaces of DAI-enabled VLANs, incoming ARP packets from permitted IP/MAC addresses are accepted only if all of the following steps were performed:
- Create the ACL, using the
arp access-list command.
- In the ACL, create one or more rules, using the
permit ip host command. Each rule specifies an IP/MAC address-pair.
- Apply the ACL to one or more VLANs, using the
ip arp inspection filter command.
- Enable DAI on such VLANs, using the
ip arp inspection command.
For ARP Guard, this command applies an ARP ACL to a physical or port-channel interface.
The
no form of the command removes the current ARP ACL from the VLAN or interface.
Examples
The following example applies an ARP ACL named ARP_ACL_01 to VLAN 200.
device# configure terminal
device(conf)# vlan 200
device(conf-vlan-200)# ip arp inspection filter ARP_ACL_01
