Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
308
Views
0
Helpful
1
Replies

arp inspection and clusters

cineca
Level 1
Level 1

‎04-09-2009 04:03 AM - edited ‎03-06-2019 05:05 AM

Hello, we plan to use DAI on our data center infrastracture, as well as other security features.

In the feature description, arp inspection blocks Gratuitous ARP packets to prevend man-in-the-middle attacks.

But I supposed that when a cluster composed of different servers (or a network bond with a standby interface) does a takeover form the active component to the standby one, the server (or interface) becoming active send a Gratuitous ARP to update the ARP table of the router with the new mac-address.

It seems to me ARP inspection disrupts cluster takeover.

Is this true?

Thank you all.

Labels:
0 Helpful
1 Reply 1

JamesLuther
Level 3
Level 3

‎04-09-2009 04:10 AM

Hello,

DAI in generally enabled on the access-layer as it relies on the DHCP snooping feature.

If there are any IPs on the switch which haven't got their IP via DHCP then you need to create an arp acess-list, see below

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/dynarp.html#wp1069116

Theerfore I would think carefully about enabling this feature on a server or datacenter segment.

Regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card