cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
901
Views
0
Helpful
5
Replies

Dynamic ARP Inspection

yuchenglai
Level 1
Level 1

I am thinking about implementing DHCP Snooping and Dynamic ARP Inspection. I understand that ARP packets would be compared to the DHCP snooping database to determine if those ARP packets are legitimate.

However, I have many machines that have hardcoded IP addresses. I assume that these machines would not be in the DHCP snooping database since they have hard-coded IP addresses. In the cases of these machines, what if these machines are compromised and start sending out ARP packets for IP addresses that they are not supposed to have? Would dynamic ARP inspection be able to detect this and reconcile these ARP packets with the DHCP Snooping database?

1 Accepted Solution

Accepted Solutions

schmij01
Level 1
Level 1

No, Dynamic ARP Inspection is an input-based feature, meaning the packets are checked on input to the switchport from the host. You would need to use a static source binding that basically creates a static entry into the DHCP snooping database for those hosts that have static IPs set. This would then allow you to use DAI on those hosts.

You are really better off converting those static hosts to DHCP (or use DHCP reservations if you really need a consistent IP address) if you have a lot of them. Otherwise managing the static bindings can get to be a pain, especially if those hosts are occasionally moved to different swtiches/ports.

View solution in original post

5 Replies 5

schmij01
Level 1
Level 1

No, Dynamic ARP Inspection is an input-based feature, meaning the packets are checked on input to the switchport from the host. You would need to use a static source binding that basically creates a static entry into the DHCP snooping database for those hosts that have static IPs set. This would then allow you to use DAI on those hosts.

You are really better off converting those static hosts to DHCP (or use DHCP reservations if you really need a consistent IP address) if you have a lot of them. Otherwise managing the static bindings can get to be a pain, especially if those hosts are occasionally moved to different swtiches/ports.

cisco_lad2004
Level 5
Level 5

if ur machines are tied to a port, u could simply trust teh actual port.

(config-if)#ip arp inspection trust

HTH

Sam

What if the statically hard-coded machines start sending gratuitous ARP packets for IP addresses that they are not supposed to have? Would applying this command mitigate the problem?

(config-if)#ip arp inspection trust

if this happens, then u have a problem as DAI would not block them.

The assumption with using teh above command is that u actually trust what is behind the port.

Yes, that is because DAI references the DHCP snooping binding table which is built by information in option 82 of DHCP packets.

It seems like the only way to mitigate machines from sending out bogus gratuitous ARP packets is to have them use DHCP reservations

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: