[c-nsp] ip arp inspection
Mike
mike-cisconsplist at tiedyenetworks.com
Sun Mar 2 20:01:44 EST 2014
Hi,
I have ip dhcp snooping and ip arp inspection enabled:
ip arp inspection vlan 311-314
ip arp inspection validate src-mac dst-mac ip
ip dhcp snooping vlan 311-314
ip dhcp snooping
This appears to enforce that, if you are on one of those vlans and
you don't have a dhcp assigned IP, you can't talk.
I am noticing however that if I do a ping scan of the subnets on
those vlans, even tho the switch should know what IP's are assigned via
is dhcp snooping database, it allows the arp's thru anyway for ip
addresses not in it's database. This seems a bit silly, why not save the
bandwidth and just drop outgoing arp on ports where the dhcp snooping db
doesn't have an entry for it?
Is there a cisco feature that would do this or am I being silly here?
Mike-
More information about the cisco-nsp
mailing list