Hi all As any other access-list, arp access-list also has an implicit deny any any at the end and hence, even if there is a dhcp snooping entry, the ARP packet will be dropped, if there is no entry in the access-list. As per the notes from Cisco given below, the implicit deny deny will be activated only when the "static" keyword is configured.
I have a arp access-list with no entry and have applied to the vlan. Even without the "static" keyword, the ARP packets are dropped though I have a dhcp snooping binding available. Any thoughts? ip arp inspection filter vlan To permit ARPs from hosts that are configured for static IP when DAI is enabled and to define an ARP access list and apply it to a VLAN, use the *ip arp inspection filter vlan* command in global configuration mode. To disable this application, use the *no* form of this command. *ip arp inspection filter** arp-acl-name* *vlan **vlan-range* [*static*] *no* *ip arp inspection filter** arp-acl-name* *vlan **vlan-range* [*static*] Syntax Description *arp-acl-name* Access control list name. *vlan-range* VLAN number or range; valid values are from 1 to 4094. *static* (Optional) Treats implicit denies in the ARP ACL as explicit denies and drops packets that do not match any previous clauses in the ACL With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
