There are (at least) 2 methods to permit ARP traffic between only 2 hosts. Vlan Maps & ARP Inspection.
Host 1 (IP: 1.1.1.46 MAC: 0000.0c46.4646)
Host 2 (IP: 1.1.1.64 MAC: 0000.0c64.6464)
Using Vlan Maps
mac access-list extended ARP
permit host 0000.0c46.4646 host 0000.0c64.6464 0x806 0x0
permit host 0000.0c64.6464 host 0000.0c46.4646 0x806 0x0
permit host 0000.0c46.4646 host ffff.ffff.ffff 0x806 0x0
permit host 0000.0c64.6464 host ffff.ffff.ffff 0x806 0x0
deny any any 0x806 0x0
permit any any
!
vlan access-map VLAN_46_ARP 10
action forward
match mac address ARP
!
vlan filter VLAN_46_ARP vlan-list 46
0x806 is the ethertype for arp packets, ffff.ffff.ffff is the L2 broadcast address used by arp when a host is sending the initial arp request in order to find the mac address of the other host.
Using ARP Inspection
arp access-list VLAN_46_ARP
permit ip host 1.1.1.46 mac host 0000.0c46.4646
permit ip host 1.1.1.64 mac host 0000.0c64.6464
!
ip arp inspection vlan 46
ip arp inspection filter VLAN_46_ARP vlan 46
The arp access-list includes the mappings between the ip and the mac of each host that should be allowed to send arp packets.
Posts
Hi - I wonder why you used action "forward" when the goal is to deny arp traffic between two host? Why not use action "drop". Also your mac acl looks confusing, my understanding this acl is used to match the traffic and not like regular acl.
ReplyDeletehttp://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml
Regards,
You're absolutely right. The description is wrong (but the config is right).
ReplyDeleteThe correct description is "How to permit ARP traffic between only two hosts".