Creates an Address Resolution Protocol (ARP) access control list (ACL), which is one of the steps implementing Dynamic ARP Inspection (DAI) on a VLAN.
No ARP ACLs are defined.
Global configuration mode
Interface subtype configuration mode
You can also append the permit ip host command to the arp access-list command.
You also need ARP ACLs to implement ARP Guard on a physical or port-channel interface.
The no form of the command deletes the ARP ACL if the ACL is not applied on any VLAN or port.
The following example creates an ARP ACL named "host2" and then defines one permit rule in that ACL.
device# configure terminal device(config)# arp access-list host2 device(config-arp-acl)# permit ip host 1.1.1.1 mac host 0000.0011.0022
The following example creates an ARP ACL, creates permit ip host rules within, applies it to a VLAN, and enables Dynamic ARP Inspection (DAI) on the VLAN.
device# configure terminal device(config)# arp access-list arp_acl_1 device(config-arp-acl)# permit ip host 1.1.1.1 mac host 0020.2222.2222 device(config-arp-acl)# permit ip host 1.1.1.2 mac host 0020.2222.2223 device(config-arp-acl)# exit device(config)# vlan 200 device(config-vlan-200)# ip arp inspection filter arp_acl_1 device(conf-vlan-200)# ip arp inspection
The following example creates an ARP ACL, creates permit ip host rules within, and applies it to an interface. This is the first stage of ARP Guard implementation.
device# configure terminal device(config)# arp access-list arp_acl_2 device(config-arp-acl)# permit ip host 1.1.1.1 mac host 0020.2222.2222 device(config-arp-acl)# permit ip host 1.1.1.2 mac host 0020.2222.2223 device(config-arp-acl)# exit device(config)# interface ethernet 1/2 device(conf-if-eth-1/2)# switchport device(conf-if-eth-1/2)# ip arp inspection filter arp_acl_2
Note
At this point in the flow, ARP Guard is not yet enabled. For enablement details, refer to the "ARP Guard" section of the Extreme SLX-OS Layer 3 Routing Configuration Guide.