Dynamic ARP Inspection

Answered Question
Apr 21st, 2008
User Badges:

I am thinking about implementing DHCP Snooping and Dynamic ARP Inspection. I understand that ARP packets would be compared to the DHCP snooping database to determine if those ARP packets are legitimate.


However, I have many machines that have hardcoded IP addresses. I assume that these machines would not be in the DHCP snooping database since they have hard-coded IP addresses. In the cases of these machines, what if these machines are compromised and start sending out ARP packets for IP addresses that they are not supposed to have? Would dynamic ARP inspection be able to detect this and reconcile these ARP packets with the DHCP Snooping database?

Correct Answer by schmij01 about 9 years 1 month ago

No, Dynamic ARP Inspection is an input-based feature, meaning the packets are checked on input to the switchport from the host. You would need to use a static source binding that basically creates a static entry into the DHCP snooping database for those hosts that have static IPs set. This would then allow you to use DAI on those hosts.


You are really better off converting those static hosts to DHCP (or use DHCP reservations if you really need a consistent IP address) if you have a lot of them. Otherwise managing the static bindings can get to be a pain, especially if those hosts are occasionally moved to different swtiches/ports.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
schmij01 Mon, 04/21/2008 - 19:26
User Badges:

No, Dynamic ARP Inspection is an input-based feature, meaning the packets are checked on input to the switchport from the host. You would need to use a static source binding that basically creates a static entry into the DHCP snooping database for those hosts that have static IPs set. This would then allow you to use DAI on those hosts.


You are really better off converting those static hosts to DHCP (or use DHCP reservations if you really need a consistent IP address) if you have a lot of them. Otherwise managing the static bindings can get to be a pain, especially if those hosts are occasionally moved to different swtiches/ports.

cisco_lad2004 Tue, 04/22/2008 - 05:26
User Badges:
  • Gold, 750 points or more

if ur machines are tied to a port, u could simply trust teh actual port.


(config-if)#ip arp inspection trust


HTH


Sam

yuchenglai Tue, 04/22/2008 - 05:41
User Badges:

What if the statically hard-coded machines start sending gratuitous ARP packets for IP addresses that they are not supposed to have? Would applying this command mitigate the problem?


(config-if)#ip arp inspection trust

cisco_lad2004 Tue, 04/22/2008 - 06:11
User Badges:
  • Gold, 750 points or more

if this happens, then u have a problem as DAI would not block them.

The assumption with using teh above command is that u actually trust what is behind the port.

yuchenglai Tue, 04/22/2008 - 06:37
User Badges:

Yes, that is because DAI references the DHCP snooping binding table which is built by information in option 82 of DHCP packets.


It seems like the only way to mitigate machines from sending out bogus gratuitous ARP packets is to have them use DHCP reservations

Actions

This Discussion