We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 639 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

351 New Members signed up the last 30 days!

satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. Hi Alberto,

     

    If you feel ARP poisoning is a risk on your network then you could implement it. However if you use static addresses then it’s probably not worth the effort.

    DAI is very useful when you use DHCP as it relies on the DHCP snooping database. When you use DHCP then DAI will work for all address leases and we use the static entries only for some static devices like routers or servers.

    If you have to implement this for all your users then it might be quite some work…

    Rene

  2. Hello Rene,

    ARP poisoning attack can mitigate DAI and DAI works on DHCP snooping Database. So If there is no DHCP server, how can we mitigate ARP Poisoning attack?? Its like that if we want to mitigate ARP poisoning then must have to enable DHCP environment or any other way to mitigate ARP POISONING.

    BR//
    ZAMAN

  3. So I am on the final run getting ready for my CCNP Switch some areas I am weaker in was DHCP Snooping and DAI.

    I created the following lab in CISCO VIRL Lab:

    https://cdn-forum.networklessons.com/uploads/default/original/1X/2f9a6838e03fade05064a85e5de5003bb680d647.JPG

    **EDITED:**
    I had three pages of information (lol) but decided to edit it out AS I was able to figure out everything by going back over your lesson and watching the video.

    Writing on the forums really helps me to get things straight in my brain and also not feel alone when studying and stuck on s

    ... Continue reading in our forum

  4. Hello florian

    My apologies for not responding sooner!

    Keep in mind that the Sender hardware address and the target hardware addresses found within the ARP packet are not the source and destination MAC addresses found in the Ethernet header. Now you are correct when you say that:

    ... Continue reading in our forum

  5. Hello Waleed

    Both your statement and the quoted statement are correct. DAI does indeed check the DCHP snooping database for all packets that arrive on untrusted interfaces. If the info in the ARP packet is not in the database, the ARP packet is dropped.

    It is also true that if you connect a rogue dhcp router on a trusted interface, no check will be made against the DHCP snooping database.

    Trusted, no check, untrusted check, and if the check does not pass, drop.

    I hope this has been helpful!

    Laz

15 more replies! Ask a question or join the discussion by visiting our Community Forum