Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

arp inspection and clusters

Hello, we plan to use DAI on our data center infrastracture, as well as other security features.

In the feature description, arp inspection blocks Gratuitous ARP packets to prevend man-in-the-middle attacks.

But I supposed that when a cluster composed of different servers (or a network bond with a standby interface) does a takeover form the active component to the standby one, the server (or interface) becoming active send a Gratuitous ARP to update the ARP table of the router with the new mac-address.

It seems to me ARP inspection disrupts cluster takeover.

Is this true?

Thank you all.

1 REPLY
Bronze

Re: arp inspection and clusters

Hello,

DAI in generally enabled on the access-layer as it relies on the DHCP snooping feature.

If there are any IPs on the switch which haven't got their IP via DHCP then you need to create an arp acess-list, see below

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/dynarp.html#wp1069116

Theerfore I would think carefully about enabling this feature on a server or datacenter segment.

Regards

174
Views
0
Helpful
1
Replies
CreatePlease to create content