Oops, sorry, it's 12.2(46)SE :-) With regards Kings
On Wed, Mar 31, 2010 at 7:37 PM, Tyson Scott <[email protected]> wrote: > 8.0(5)? In this thread we are talking about the Catalyst switch. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Wednesday, March 31, 2010 9:45 AM > > *To:* Tyson Scott > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] ARP access-list with static > > > > > Images version is 8.0(5). > > > > With regards > > Kings > > On Wed, Mar 31, 2010 at 7:13 PM, Tyson Scott <[email protected]> wrote: > > Hmm... seems conflicting statements in the documentation. What version of > code are you using for your testing? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Wednesday, March 31, 2010 9:28 AM > *To:* Tyson Scott > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] ARP access-list with static > > > > Hi Tyson > > > > I agree that if the arp acl denies, then the dhcp snooping won't be looked > up. Can you please let me know the > > purpose of "static" keyword. > > > > > > > With regards > > Kings > > On Wed, Mar 31, 2010 at 6:45 PM, Tyson Scott <[email protected]> wrote: > > Kingsley, > > > > Actually. ARP ACL's do not work in conjunction with Snooping. They are > specifically for environments without DHCP. The DHCP snooping database is > not checked as a precursor to the ACL. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Wednesday, March 31, 2010 8:11 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] ARP access-list with static > > > > Hi all > > > > As any other access-list, arp access-list also has an implicit deny any any > at the end and hence, even if there is a dhcp snooping entry, the ARP packet > will be dropped, if there is no entry in the access-list. As per the notes > from Cisco given below, the implicit deny deny will be activated only when > the "static" keyword is configured. > > > > I have a arp access-list with no entry and have applied to the vlan. > > > > Even without the "static" keyword, the ARP packets are dropped though I > have a dhcp snooping binding available. > > > > Any thoughts? > > > > > > > > > > ip arp inspection filter vlan > > To permit ARPs from hosts that are configured for static IP when DAI is > enabled and to define an ARP access list and apply it to a VLAN, use the *ip > arp inspection filter vlan *command in global configuration mode. To > disable this application, use the *no* form of this command. > > *ip arp inspection filter** arp-acl-name* *vlan **vlan-range* [*static*] > > *no* *ip arp inspection filter** arp-acl-name* *vlan **vlan-range* [* > static*] > > Syntax Description > > > > *arp-acl-name* > > Access control list name. > > *vlan-range* > > VLAN number or range; valid values are from 1 to 4094. > > *static* > > (Optional) Treats implicit denies in the ARP ACL as explicit denies and > drops packets that do not match any previous clauses in the ACL > > > > > > With regards > > Kings > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
