Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dynamic ARP Inspection

I am thinking about implementing DHCP Snooping and Dynamic ARP Inspection. I understand that ARP packets would be compared to the DHCP snooping database to determine if those ARP packets are legitimate.

However, I have many machines that have hardcoded IP addresses. I assume that these machines would not be in the DHCP snooping database since they have hard-coded IP addresses. In the cases of these machines, what if these machines are compromised and start sending out ARP packets for IP addresses that they are not supposed to have? Would dynamic ARP inspection be able to detect this and reconcile these ARP packets with the DHCP Snooping database?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Dynamic ARP Inspection

No, Dynamic ARP Inspection is an input-based feature, meaning the packets are checked on input to the switchport from the host. You would need to use a static source binding that basically creates a static entry into the DHCP snooping database for those hosts that have static IPs set. This would then allow you to use DAI on those hosts.

You are really better off converting those static hosts to DHCP (or use DHCP reservations if you really need a consistent IP address) if you have a lot of them. Otherwise managing the static bindings can get to be a pain, especially if those hosts are occasionally moved to different swtiches/ports.

5 REPLIES
New Member

Re: Dynamic ARP Inspection

No, Dynamic ARP Inspection is an input-based feature, meaning the packets are checked on input to the switchport from the host. You would need to use a static source binding that basically creates a static entry into the DHCP snooping database for those hosts that have static IPs set. This would then allow you to use DAI on those hosts.

You are really better off converting those static hosts to DHCP (or use DHCP reservations if you really need a consistent IP address) if you have a lot of them. Otherwise managing the static bindings can get to be a pain, especially if those hosts are occasionally moved to different swtiches/ports.

Re: Dynamic ARP Inspection

if ur machines are tied to a port, u could simply trust teh actual port.

(config-if)#ip arp inspection trust

HTH

Sam

New Member

Re: Dynamic ARP Inspection

What if the statically hard-coded machines start sending gratuitous ARP packets for IP addresses that they are not supposed to have? Would applying this command mitigate the problem?

(config-if)#ip arp inspection trust

Re: Dynamic ARP Inspection

if this happens, then u have a problem as DAI would not block them.

The assumption with using teh above command is that u actually trust what is behind the port.

New Member

Re: Dynamic ARP Inspection

Yes, that is because DAI references the DHCP snooping binding table which is built by information in option 82 of DHCP packets.

It seems like the only way to mitigate machines from sending out bogus gratuitous ARP packets is to have them use DHCP reservations

431
Views
0
Helpful
5
Replies
CreatePlease login to create content