06-23-2012 07:01 PM - edited 03-07-2019 07:25 AM
Hi everybody
1)Does a switch configured with dynamic arp inspection only inspect arp replies received on untrusted port by default or it also check arp request?
Dynamic arp inspection according to my book checks target ip address, target mac address carried by arp reply. So if switch has to check arp request, it will not find target ip address and target mac as they are only carried by arp replies.
2) The command " ip arp inspection validate ip' according to my book checks sender'ip address in arp request, checks the sender 's ip address against the targer ip address in all arp replies.
In nutshell, is it only when this option configured switch checks both arp request and arp replies as described in (2) ?
Does by default a switch configured with dynmic arp inspection only check arp replies?
dynamic arp inspection and and hosts with static ip address
Do we still need to use " ip arp inspection vlan RANGE " for hosts with static ip address or we just need an arp access list and following command
ip arp inspection filter LEE vlan 2"
thanks and have a great weekend.
Solved! Go to Solution.
06-24-2012 05:53 AM
Hello Again!
1) according to Cisco documentation, dynamic arp instepction intercepts both request and responses on untrusted ports. it checks the validity of the arp packet against a trusted database (i.e.: DHCP binding database or static ARP ACL).
2) ip arp inspection validate ip could be also set with src-mac, dst-mac and only one of the 3 options will apply at a time. so i believe this doesnt have anything to do with #1. this is rather an additional validation option, should u choose to use.
for static hosts and using ARP ACL in non-DHCP environments you just have to use the ip arp inspection filter [ ] vlan command.
by the way, whats the book you r reading, if its ok?
Hope it Helps,
Soroush.
06-24-2012 05:53 AM
Hello Again!
1) according to Cisco documentation, dynamic arp instepction intercepts both request and responses on untrusted ports. it checks the validity of the arp packet against a trusted database (i.e.: DHCP binding database or static ARP ACL).
2) ip arp inspection validate ip could be also set with src-mac, dst-mac and only one of the 3 options will apply at a time. so i believe this doesnt have anything to do with #1. this is rather an additional validation option, should u choose to use.
for static hosts and using ARP ACL in non-DHCP environments you just have to use the ip arp inspection filter [ ] vlan command.
by the way, whats the book you r reading, if its ok?
Hope it Helps,
Soroush.
06-24-2012 08:13 AM
Thanks Soroush
CCNP switch by David Hucaby.
) according to Cisco documentation, dynamic arp instepction intercepts both request and responses on untrusted ports. it checks the validity of the arp packet against a trusted database (i.e.: DHCP binding database or static ARP ACL).
If a switch configured with dynamic arp inspection does check arp request besides arp replies. What kind of information a switch has to compare against dhcp binding database/arp accesslist in the case of arp request?
For example in arp reply by default switch compares the target ip address,target mac against the dhcp binding database. In case of arp request, a switch configured with dynamic arp inspection, what kind of info carried by arp request, does switch compare against dhcp snooping database? ( keep in mind we are talking about default behavior i.e the switch is not configured to perform any further validation such as src ip, src mac etc)
Below is arp request frame:
No. Time Source Destination Protocol Length Address Resolution Protocol Info
28 168.833000 c0:00:04:dc:00:00 Broadcast ARP 60 Yes Who has 199.199.199.2? Tell 199.199.199.1
Frame 28: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: c0:00:04:dc:00:00 (c0:00:04:dc:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
Hardware type: Ethernet (1)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1)
[Is gratuitous: False]
Sender MAC address: c0:00:04:dc:00:00 (c0:00:04:dc:00:00)
Sender IP address: 199.199.199.1 (199.199.199.1)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 199.199.199.2 (199.199.199.2)
thanks and have a great weekend.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide