MArko,
Did you just prove what i stated was correct?
Here my friend:
* *
*SW-1�s configuration:*
Switch#sh run
Building configuration...
ip arp inspection vlan 100
ip arp inspection filter TST vlan 100 static
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
arp access-list TST
permit ip host 10.1.1.1 mac host 0000.1111.1111
permit ip host 10.1.1.2 mac host 0000.2222.2222
!
* *
*R1�s config:*
R1#sh run int f0/0
Building configuration...
Current configuration : 121 bytes
!
interface FastEthernet0/0
mac-address 0000.1111.1111
ip address 10.1.1.1 255.255.255.0
*
*
* *
*R2�s config:*
R2#sh run int f0/0
Building configuration...
Current configuration : 93 bytes
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
mac-address 0000.2222.2222
* *
*To test the configuration:*
* *
*On R1*
R1#Ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
*To test the DIA:*
* *
*On R2*
R2(config)#int f0/0
R2(config-if)#no Mac-address
* *
*R1#Show arp*
* *
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 - 0000.1111.1111 ARPA FastEthernet0/0
Internet 10.1.1.2 2 0000.2222.2222 ARPA FastEthernet0/0
R1#clea ip arp 10.1.1.2
*R1#sh arp*
* *
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 - 0000.1111.1111 ARPA FastEthernet0/0
*R1#Ping 10.1.1.2*
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Now if you check SW1�s console messages, you will see the following:
00:20:21: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan
100.([0012.d913.5410/10.1.1.2/0000.1111.1111/10.1.1.1/00:20:20 UTC Mon Mar 1
1993])
00:20:21: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Res) on Fa0/2, vlan
100.([0012.d913.5410/10.1.1.2/ffff.ffff.ffff/10.1.1.2/00:20:20 UTC Mon Mar 1
1993])
00:22:57: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Res) on Fa0/2, vlan
100.([0012.d913.5410/10.1.1.2/0000.1111.1111/10.1.1.1/00:22:56 UTC Mon Mar 1
1993])
00:22:59: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Res) on Fa0/2, vlan
100.([0012.d913.5410/10.1.1.2/0000.1111.1111/10.1.1.1/00:22:58 UTC Mon Mar 1
1993])
00:23:01: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Res) on Fa0/2, vlan
100.([0012.d913.5410/10.1.1.2/0000.1111.1111/10.1.1.1/00:23:00 UTC Mon Mar 1
1993])
00:23:03: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Res) on Fa0/2, vlan
100.([0012.d913.5410/10.1.1.2/0000.1111.1111/10.1.1.1/00:23:02 UTC Mon Mar 1
1993])
00:23:05: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Res) on Fa0/2, vlan
100.([0012.d913.5410/10.1.1.2/0000.1111.1111/10.1.1.1/00:23:04 UTC Mon Mar 1
1993])
Now let�s add the true Mac address of R2 in the ARP access-list:
Switch(config)#arp access-list TST
Switch(config-arp-nacl)#permit ip host 10.1.1.2 mac host 0012.d913.5410
*Let�s display it:*
arp access-list TST
permit ip host 10.1.1.1 mac host 0000.1111.1111
permit ip host 10.1.1.2 mac host 0000.2222.2222
permit ip host 10.1.1.2 mac host 0012.d913.5410
*Let�s test it:*
R1#Ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Note the DHCP snooping database was NOT checked at all. and this is what i
stated.
On Tue, Mar 23, 2010 at 5:56 PM, Marko Milivojevic
<markom_at_ipexpert.com>wrote:
> On Tue, Mar 23, 2010 at 23:05, olugbenga lasisi <logpoet_at_gmail.com> wrote:
> > nice one Marko.. when in doubt lab it up :)
>
> The only approach that works.
>
> --
> Marko Milivojevic - CCIE #18427
> Senior Technical Instructor - IPexpert
>
> YES! We include 400 hours of REAL rack
> time with our Blended Learning Solution!
>
> Mailto: markom_at_ipexpert.com
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Web: http://www.ipexpert.com/
>
--
Narbik Kocharians
CCSI#30832, CCIE# 12410 (R&S, SP, Security)
www.MicronicsTraining.com
Sr. Technical Instructor
YES! We take Cisco Learning Credits!
Training And Remote Racks available
Blogs and organic groups at http://www.ccie.net
Received on Wed Mar 24 2010 - 02:16:57 ART