04-21-2008 06:32 AM - edited 03-05-2019 10:30 PM
I am thinking about implementing DHCP Snooping and Dynamic ARP Inspection. I understand that ARP packets would be compared to the DHCP snooping database to determine if those ARP packets are legitimate.
However, I have many machines that have hardcoded IP addresses. I assume that these machines would not be in the DHCP snooping database since they have hard-coded IP addresses. In the cases of these machines, what if these machines are compromised and start sending out ARP packets for IP addresses that they are not supposed to have? Would dynamic ARP inspection be able to detect this and reconcile these ARP packets with the DHCP Snooping database?
Solved! Go to Solution.
04-21-2008 07:26 PM
No, Dynamic ARP Inspection is an input-based feature, meaning the packets are checked on input to the switchport from the host. You would need to use a static source binding that basically creates a static entry into the DHCP snooping database for those hosts that have static IPs set. This would then allow you to use DAI on those hosts.
You are really better off converting those static hosts to DHCP (or use DHCP reservations if you really need a consistent IP address) if you have a lot of them. Otherwise managing the static bindings can get to be a pain, especially if those hosts are occasionally moved to different swtiches/ports.
04-21-2008 07:26 PM
No, Dynamic ARP Inspection is an input-based feature, meaning the packets are checked on input to the switchport from the host. You would need to use a static source binding that basically creates a static entry into the DHCP snooping database for those hosts that have static IPs set. This would then allow you to use DAI on those hosts.
You are really better off converting those static hosts to DHCP (or use DHCP reservations if you really need a consistent IP address) if you have a lot of them. Otherwise managing the static bindings can get to be a pain, especially if those hosts are occasionally moved to different swtiches/ports.
04-22-2008 05:26 AM
if ur machines are tied to a port, u could simply trust teh actual port.
(config-if)#ip arp inspection trust
HTH
Sam
04-22-2008 05:41 AM
What if the statically hard-coded machines start sending gratuitous ARP packets for IP addresses that they are not supposed to have? Would applying this command mitigate the problem?
(config-if)#ip arp inspection trust
04-22-2008 06:11 AM
if this happens, then u have a problem as DAI would not block them.
The assumption with using teh above command is that u actually trust what is behind the port.
04-22-2008 06:37 AM
Yes, that is because DAI references the DHCP snooping binding table which is built by information in option 82 of DHCP packets.
It seems like the only way to mitigate machines from sending out bogus gratuitous ARP packets is to have them use DHCP reservations
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: