Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ARP inspection w/DHCP snooping is killing my voice stream

Has anyone successfully deployed security features (ARP inspection plus DHCP snooping) with their IPT deployment? If so, would you mind talking a bit about any hang ups you may have experienced? Thanks in advance.


Re: ARP inspection w/DHCP snooping is killing my voice stream

ARP does not have any authentication. It is quite simple for a malicious user to poison ARP tables of other hosts on the same VLAN. In a typical attack, a malicious user can send unsolicited ARP replies (gratuitous ARP packets) to other hosts on the subnet with the attacker's MAC address and the default gateway's IP address. Such ARP poisoning leads to various "man-in-the-middle" attacks, posing a security threat in the network. Dynamic ARP Inspection intercepts all ARP requests and replies on the untrusted ports. Each intercepted packet is verified for valid IP-to-MAC bindings. The Dynamic Host Control Protocol (DHCP) snooping feature is typically used to maintain IP-to-MAC bindings. Dynamic ARP Inspection helps prevent the man-in-the-middle attacks by not relaying invalid ARP replies out to other ports in the same VLAN. It is a solution with no change to the end user or host configurations. Denied ARP packets are logged by the switch for auditing. Incoming ARP packets on the trusted ports or isolated private VLAN (PVLAN) trunks are not inspected.

CreatePlease to create content