1. Home
  2. Cisco Certification
  3. ARP packets

ARP packets

Is it possible to limit or block ARP packets from going thru a catalyst switch? Is there such a command or option? I've surfed the whole day but no luck!

Reply to
Jo
Loading thread data ...

I don't think there's a port no. for ARP, by which I can use an ACL to filter it out.

Reply to
Jo

You could probably do that by using broadcast-storm option since ARP packets are just broadcast. This will probably do some connectivity problems to your network.

Why whould you want to limit/block ARP packets?

Reply to
Ivan Ostreš

I'm being asked to lookup for info on how to limit or block ARP packets on Catalyst 3550 or 3725 router as we're getting too many ARP requests. It's believed that the network is under attack bcoz of a virus.

Reply to
Jo

arp works at the Etherenet level. So there are no ports to filter. arp frames have 0x806 as the ethertype and that's about it.

Why would you want to break ethernet by blocking arp frames?

Reply to
Hansang Bae

you might find the link below useful

formatting link
or easily you may read thru.

Command Purpose Step 1

configure terminal

Enter global configuration mode.

Step 2

interface interface

Enter interface configuration mode, and enter the port to configure.

Step 3

port storm-control broadcast [threshold {rising rising-number falling falling-number}]

Enter the rising and falling thresholds for broadcast packets.

Make sure the rising threshold is greater than the falling threshold.

Step 4

port storm-control trap

Generate an SNMP trap when the traffic on the port crosses the rising or falling threshold.

Step 5

end

Return to privileged EXEC mode.

Step 6

show port storm-control [interface]

Verify your entries.

cheers Tayfun

Reply to
Tayfun Tuna

What makes you think you are getting too many ARP requests? Have you installed a sniffer on your network to see exactly what is happening? Is it arp requests for a specific IP or random?

I guess if you wanted to filter arp frames on a layer 2 interface you could use a mac based access-list something like the following

mac access-list extended ARP deny any any 0x806 0x0 permit any any

interface mac access-group ARP in

If you wanted to filter on a complete VLAN if I'm not mistaken you could use a VACL

mac access-list extended ARP permit any any 0x806 0x0

vlan access-map ARP 10 match mac address ARP action drop vlan access-map ARP 20 action forward

vlan filter ARP vlan-list

Again not sure why you would want to do this as it would have serious consequences for your network

Beez

Reply to
Beezneez

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.