Friday, January 11, 2008

How to permit ARP traffic between only two hosts

There are (at least) 2 methods to permit ARP traffic between only 2 hosts. Vlan Maps & ARP Inspection.

Host 1 (IP: 1.1.1.46 MAC: 0000.0c46.4646)

Host 2 (IP: 1.1.1.64 MAC: 0000.0c64.6464)

Using Vlan Maps


mac access-list extended ARP
permit host 0000.0c46.4646 host 0000.0c64.6464 0x806 0x0
permit host 0000.0c64.6464 host 0000.0c46.4646 0x806 0x0
permit host 0000.0c46.4646 host ffff.ffff.ffff 0x806 0x0
permit host 0000.0c64.6464 host ffff.ffff.ffff 0x806 0x0
deny any any 0x806 0x0
permit any any
!
vlan access-map VLAN_46_ARP 10
action forward
match mac address ARP
!
vlan filter VLAN_46_ARP vlan-list 46

0x806 is the ethertype for arp packets, ffff.ffff.ffff is the L2 broadcast address used by arp when a host is sending the initial arp request in order to find the mac address of the other host.


Using ARP Inspection

arp access-list VLAN_46_ARP
permit ip host 1.1.1.46 mac host 0000.0c46.4646
permit ip host 1.1.1.64 mac host 0000.0c64.6464
!
ip arp inspection vlan 46
ip arp inspection filter VLAN_46_ARP vlan 46


The arp access-list includes the mappings between the ip and the mac of each host that should be allowed to send arp packets.

2 comments:

  1. Hi - I wonder why you used action "forward" when the goal is to deny arp traffic between two host? Why not use action "drop". Also your mac acl looks confusing, my understanding this acl is used to match the traffic and not like regular acl.

    http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

    Regards,

    ReplyDelete
  2. You're absolutely right. The description is wrong (but the config is right).
    The correct description is "How to permit ARP traffic between only two hosts".

    ReplyDelete

 
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Greece License.