Hi Tyson I agree that if the arp acl denies, then the dhcp snooping won't be looked up. Can you please let me know the purpose of "static" keyword.
With regards Kings On Wed, Mar 31, 2010 at 6:45 PM, Tyson Scott <[email protected]> wrote: > Kingsley, > > > > Actually. ARP ACL's do not work in conjunction with Snooping. They are > specifically for environments without DHCP. The DHCP snooping database is > not checked as a precursor to the ACL. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Wednesday, March 31, 2010 8:11 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] ARP access-list with static > > > > Hi all > > > > As any other access-list, arp access-list also has an implicit deny any any > at the end and hence, even if there is a dhcp snooping entry, the ARP packet > will be dropped, if there is no entry in the access-list. As per the notes > from Cisco given below, the implicit deny deny will be activated only when > the "static" keyword is configured. > > > > I have a arp access-list with no entry and have applied to the vlan. > > > > Even without the "static" keyword, the ARP packets are dropped though I > have a dhcp snooping binding available. > > > > Any thoughts? > > > > > > > > > > ip arp inspection filter vlan > > To permit ARPs from hosts that are configured for static IP when DAI is > enabled and to define an ARP access list and apply it to a VLAN, use the *ip > arp inspection filter vlan *command in global configuration mode. To > disable this application, use the *no* form of this command. > > *ip arp inspection filter** arp-acl-name* *vlan **vlan-range* [*static*] > > *no* *ip arp inspection filter** arp-acl-name* *vlan **vlan-range* [* > static*] > > Syntax Description > > > > *arp-acl-name* > > Access control list name. > > *vlan-range* > > VLAN number or range; valid values are from 1 to 4094. > > *static* > > (Optional) Treats implicit denies in the ARP ACL as explicit denies and > drops packets that do not match any previous clauses in the ACL > > > > > > With regards > > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
