Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DHCP Snooping and Dynamic ARP Inspection

Hi,

In order to reduce the impact of ARP spoofing attacks, I would like implement DHCP snooping and dynamic Arp inspection feature features on our Cisco enterprise network.

Test were conclusive for all devices connected directly to cisco switches.

However, I still have problems with devices connected to SOHO unmanaged switches.

Could you indicate me please, how I can overcome this problem.

You can find in attachment an example diagram.

Printer1 and PC2 cause connectivity problem when port Fa0/23 on switch S2 is configured as untrusted.

When I configure that port as trusted, I still can operate successfull ARP spoofing attacks with Cain & Abel software.

Best Regards,

Mustapha

1 REPLY
Hall of Fame Super Silver

Re: DHCP Snooping and Dynamic ARP Inspection

Hello Mustapha,

indeed DHCP snooping and DAI would fit with a design where no unmanaged switches are present so that a one-to-one corrispondence between MAC addresses of PCs and printers and ports can be done.

in your case you could just use port security with DHCP snooping trusted state as a way to mitigate at least MAC flood attacks.

Hope to help

Giuseppe

525
Views
0
Helpful
1
Replies