Yes, the DHCP snooping database will only have addresses that are either assigned by DHCP or are statically configured in the DHCP database. If you statically assign a host on the network an IP address, the DHCP snooping database has no way of knowing that that address has been assigned. The only way to do it is to statically configure it in the DHCP router.
Yes, that is correct. It will only check the statically configured ARP ACL and NOT the dynamically created and updated DHCP snooping database.
Yes, the last ip arp inspection filter command does not seem to be included in the configuration of SW1 at the end. I will let Rene know to add thatâŚ
Thanks again! I did have a follow up question here it does look like in the configuration example below that Rene has shown both options:
SW1(config)#arp access-list DHCP_ROUTER
SW1(config-arp-nacl)#permit ip host 192.168.1.254 mac host 0016.c7be.0ec8
SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123
int fa0/3
ip arp inspection trust
But you can use one or the other correct. You dont have to use both? If that is the case why go through the hassle of extra command and just use ip arp inspection trust?
interface FastEthernet0/3
switchport access vlan 123
switchport mode access
ip arp inspection trust
spanning-tree portfast
ip dhcp snooping trust
!
arp access-list DHCP_ROUTER
permit ip host 192.168.1.254 mac host 0016.c7be.0ec8
!end
Yes, you are correct that you can use one or the other to solve the specific problem. However, you must understand that they actually do two different things. The arp access-list command tells the switch to check the access list for acceptable MAC/IP addresses that will allow ARP messages and will allow those coming from the DHCP server. The other option doesnât check any ARP messages against anything and simply allows all ARP messages on this interface, which is the interface where the DHCP server is connected.
In that case would putting the command arp inspection trust command be enough security since all untrusted other interfaces would still be checked right? What is the use case for using the arp access-list over the trust command in that scenario. Also, could you give an example of the use cases for the three different validation options
dst-mac
ip
scr-mac
I read another answer about it but I still was unclear
Thanks!
Whether or not something is âenough securityâ is a topic for debate, it all depends on the expected threats, and the level of security you want to achieve. Using the arp insepction trust command on an interface would be used if you know that all ARP packets expected to be received on this port can be trusted, because youâve taken care to ensure that the subnet on that interface is secure. So you will never expect any attacks to occur there. The rest of the ports of course are untrusted, and you are âsafeâ from any attempts at attack that may arrive on those ports.
If you have several hosts connected to the subnet on a particular interface, and some of those hosts are statically assigned their IP addresses, while the others are dynamically assigned, you can place the statically assigned IP addresses in an ARP access list. This way, the switch will check the ARP access-list first and when it doesnât find a match, it will check the DHCP snooping database. Statically assigned hostsâ ARP requests will be matched by the access list, and dynamically assigned hostsâ ARP requests will be matched using the DHCP snooping database.
Each of the choices performs a different check. This is further described in this CIsco documentation: