DAI (Dynamic ARP Inspection)

Hello Daniel

Yes, the DHCP snooping database will only have addresses that are either assigned by DHCP or are statically configured in the DHCP database. If you statically assign a host on the network an IP address, the DHCP snooping database has no way of knowing that that address has been assigned. The only way to do it is to statically configure it in the DHCP router.

Yes, that is correct. It will only check the statically configured ARP ACL and NOT the dynamically created and updated DHCP snooping database.

Yes, the last ip arp inspection filter command does not seem to be included in the configuration of SW1 at the end. I will let Rene know to add that…

I hope this has been helpful!

Laz

Hi Lazaros,

Thanks again! I did have a follow up question here it does look like in the configuration example below that Rene has shown both options:

SW1(config)#arp access-list DHCP_ROUTER
SW1(config-arp-nacl)#permit ip host 192.168.1.254 mac host 0016.c7be.0ec8
SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123

int  fa0/3
ip arp inspection trust

But you can use one or the other correct. You dont have to use both? If that is the case why go through the hassle of extra command and just use ip arp inspection trust?

interface FastEthernet0/3
 switchport access vlan 123
 switchport mode access
 ip arp inspection trust
 spanning-tree portfast
 ip dhcp snooping trust       
!
arp access-list DHCP_ROUTER
 permit ip host 192.168.1.254 mac host 0016.c7be.0ec8 
!end

Hello Daniel

Yes, you are correct that you can use one or the other to solve the specific problem. However, you must understand that they actually do two different things. The arp access-list command tells the switch to check the access list for acceptable MAC/IP addresses that will allow ARP messages and will allow those coming from the DHCP server. The other option doesn’t check any ARP messages against anything and simply allows all ARP messages on this interface, which is the interface where the DHCP server is connected.

I hope this has been helpful!

Laz

1 Like

Hi Lazaros,

In that case would putting the command arp inspection trust command be enough security since all untrusted other interfaces would still be checked right? What is the use case for using the arp access-list over the trust command in that scenario. Also, could you give an example of the use cases for the three different validation options
dst-mac
ip
scr-mac
I read another answer about it but I still was unclear
Thanks!

Hello Daniel

Whether or not something is “enough security” is a topic for debate, it all depends on the expected threats, and the level of security you want to achieve. Using the arp insepction trust command on an interface would be used if you know that all ARP packets expected to be received on this port can be trusted, because you’ve taken care to ensure that the subnet on that interface is secure. So you will never expect any attacks to occur there. The rest of the ports of course are untrusted, and you are “safe” from any attempts at attack that may arrive on those ports.

If you have several hosts connected to the subnet on a particular interface, and some of those hosts are statically assigned their IP addresses, while the others are dynamically assigned, you can place the statically assigned IP addresses in an ARP access list. This way, the switch will check the ARP access-list first and when it doesn’t find a match, it will check the DHCP snooping database. Statically assigned hosts’ ARP requests will be matched by the access list, and dynamically assigned hosts’ ARP requests will be matched using the DHCP snooping database.

Each of the choices performs a different check. This is further described in this CIsco documentation:

I hope this has been helpful!

Laz

1 Like

Hi,

I think there’s a typo:

If the information in the ARP packet doesn’t matter, it will be dropped.

Shouldn’t it be match not matter

Sam

Hello Samir

Yes, you are correct, thanks for pointing that out. I will let @ReneMolenaar know to make the change.

Laz

1 Like