Enable ARP Guard on an Interface or Port-channel

You can enable ARP Guard on a physical interface or a port-channel.

Procedure

  1. Access global configuration mode. 
    device# configure terminal
  2. Create an ACL to enable ARP Guard. 
    device(config)# mac access-list extended arp_guard_enable_1
    This example creates an ACL named arp_guard_enable_1.
  3. In the ACL, create the rules that you want to implement. 
    device(conf-macl-ext)# permit host 0014.2211.1111 any vlan 100 arp arp-guard
device(conf-macl-ext)# permit host 0014.2211.1112 any vlan 101 arp arp-guard
device(conf-macl-ext)# deny any any arp
device(conf-macl-ext)# permit any any
  4. Access interface configuration mode. 
    device(conf)# interface ethernet 1/2
  5. Access Layer 2 mode. 
    device(conf-if-eth-1/2)# switchport
  6. Specify the ACL and the in direction. 
    device(conf-if-eth-1/2)# mac access-group arp_guard_enable_1 in

Example

The following example summarizes the commands in this procedure.
device# configure terminal
device(config)# mac access-list extended arp_guard_enable_1
device(conf-macl-ext)# permit host 0014.2211.1111 any vlan 100 arp arp-guard
device(conf-macl-ext)# permit host 0014.2211.1112 any vlan 101 arp arp-guard
device(conf-macl-ext)# deny any any arp
device(conf-macl-ext)# permit any any
device(conf)# interface ethernet 1/2
device(conf-if-eth-1/2)# switchport
device(conf-if-eth-1/2)# mac access-group arp_guard_enable_1 in
9036691-01 Rev AA