arp inspection and clusters

Unanswered Question
Apr 9th, 2009
User Badges:

Hello, we plan to use DAI on our data center infrastracture, as well as other security features.

In the feature description, arp inspection blocks Gratuitous ARP packets to prevend man-in-the-middle attacks.

But I supposed that when a cluster composed of different servers (or a network bond with a standby interface) does a takeover form the active component to the standby one, the server (or interface) becoming active send a Gratuitous ARP to update the ARP table of the router with the new mac-address.

It seems to me ARP inspection disrupts cluster takeover.

Is this true?

Thank you all.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JamesLuther Thu, 04/09/2009 - 04:10
User Badges:
  • Silver, 250 points or more


DAI in generally enabled on the access-layer as it relies on the DHCP snooping feature.

If there are any IPs on the switch which haven't got their IP via DHCP then you need to create an arp acess-list, see below

Theerfore I would think carefully about enabling this feature on a server or datacenter segment.



This Discussion