Tags: ,


Notable Replies

  1. Hi rene, I don´t have a DHCP server. My users have Ip address static. Do I need configure ip arp inspection filter?

  2. Hi Alberto,

     

    If you feel ARP poisoning is a risk on your network then you could implement it. However if you use static addresses then it’s probably not worth the effort.

    DAI is very useful when you use DHCP as it relies on the DHCP snooping database. When you use DHCP then DAI will work for all address leases and we use the static entries only for some static devices like routers or servers.

    If you have to implement this for all your users then it might be quite some work…

    Rene

  3. Hi Zaman,

    There is one other method if you don’t have a DHCP server. You can create static ARP bindings in the ARP snooping database.

    Rene

  4. So I am on the final run getting ready for my CCNP Switch some areas I am weaker in was DHCP Snooping and DAI.

    I created the following lab in CISCO VIRL Lab:

    EDITED:
    I had three pages of information (lol) but decided to edit it out AS I was able to figure out everything by going back over your lesson and watching the video.

    Writing on the forums really helps me to get things straight in my brain and also not feel alone when studying and stuck on something.

    Thanks for the great lessons!

  5. Hello florian

    My apologies for not responding sooner!

    Keep in mind that the Sender hardware address and the target hardware addresses found within the ARP packet are not the source and destination MAC addresses found in the Ethernet header. Now you are correct when you say that:

    DAI will cause such frames to drop so that they don’t actually reach the host. These are illegitimate packets and most likely come from a malicious source, so they should not be sent to the host. The host will not have to waste time and resources processing them.

    As for this question, my apologies. I had the no ip gratuitous-arp command in mind but this just disables the sending of gratuitous ARP packets by the device itself and not the blocking of such packets from hosts.

    I hope this has been helpful!

    Laz

Continue the discussion forum.networklessons.com

19 more replies!

Participants