arp inspection and clusters

Unanswered Question
Apr 9th, 2009

Hello, we plan to use DAI on our data center infrastracture, as well as other security features.

In the feature description, arp inspection blocks Gratuitous ARP packets to prevend man-in-the-middle attacks.

But I supposed that when a cluster composed of different servers (or a network bond with a standby interface) does a takeover form the active component to the standby one, the server (or interface) becoming active send a Gratuitous ARP to update the ARP table of the router with the new mac-address.

It seems to me ARP inspection disrupts cluster takeover.

Is this true?

Thank you all.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JamesLuther Thu, 04/09/2009 - 04:10

Hello,

DAI in generally enabled on the access-layer as it relies on the DHCP snooping feature.

If there are any IPs on the switch which haven't got their IP via DHCP then you need to create an arp acess-list, see below

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/dynarp.html#wp1069116

Theerfore I would think carefully about enabling this feature on a server or datacenter segment.

Regards

Actions

This Discussion