beautypg.com

Ip arp inspection filter – LevelOne FGL-2870 User Manual

Page 558

background image

Command Line Interface

4-192

4

• When ARP Inspection is enabled globally and enabled on selected VLANs, all

ARP request and reply packets on those VLANs are redirected to the CPU
and their switching is handled by the ARP Inspection engine.

• When ARP Inspection is disabled globally, it becomes inactive for all VLANs,

including those where ARP Inspection is enabled.

• When ARP Inspection is disabled, all ARP request and reply packets bypass

the ARP Inspection engine and their manner of switching matches that of all
other packets.

• Disabling and then re-enabling global ARP Inspection will not affect the ARP

Inspection configuration for any VLANs.

• When ARP Inspection is disabled globally, it is still possible to configure ARP

Inspection for individual VLANs. These configuration changes will only
become active after ARP Inspection is globally enabled again.

Example

ip arp inspection filter

This command specifies an ARP ACL to apply to one or more VLANs. Use the no
form to remove an ACL binding.

Syntax

ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static]

• arp-acl-name - Name of an ARP ACL. (Maximum length: 16 characters)
vlan-id - VLAN ID. (Range: 1-4094)
vlan-range - A consecutive range of VLANs indicated by the use a hyphen,

or a random group of VLANs with each entry separated by a comma.

static - ARP packets are only validated against the specified ACL, address

bindings in the DHCP snooping database is not checked.

Default Setting

ARP ACLs are not bound to any VLAN
Static mode is not enabled

Command Mode

Global Configuration

Command Usage

• ARP ACLs are configured with the commands described on page 4-210.
• If static mode is enabled, the switch compares ARP packets to the specified

ARP ACLs. Packets matching an IP-to-MAC address binding in a permit or
deny rule are processed accordingly. Packets not matching any of the ACL
rules are dropped. Address bindings in the DHCP snooping database are not
checked.

Console(config)#ip arp inspection vlan 1,2
Console(config)#

See also other documents in the category LevelOne Routers: