https://community.cisco.com/t5/network-access-control/ise-arp-inspection-dhcp-snooping/m-p/3525740#M517916 <HTML><HEAD></HEAD><BODY><P>Actually the active directory domain&nbsp; permissions, but as you know, shadow IT is always present, moreover on an organization with many IT specialists.</P><P>Thanks for the reply chyps, you helped me out to find a valid reason for implementing DHCP snooping and ARP spoofing.</P></BODY></HTML> Tue, 13 Feb 2018 10:50:54 GMT Antonio Macia 2018-02-13T10:50:54Z https://community.cisco.com/t5/network-access-control/ise-arp-inspection-dhcp-snooping/m-p/3525736#M517912 <HTML><HEAD></HEAD><BODY><P>Hello there,</P><P></P><P>Makes sense configuring arp inspection and DHCP snooping on a network where access is controlled by ISE? I mean, if access is based on dot1x and MAB using profiling and all the traffic is blocked until the device matches an authorization policy, wouldn't be redundant protections?</P><P></P><P>Regards.</P></BODY></HTML> Sat, 10 Feb 2018 16:50:52 GMT https://community.cisco.com/t5/network-access-control/ise-arp-inspection-dhcp-snooping/m-p/3525736#M517912 Antonio Macia 2018-02-10T16:50:52Z https://community.cisco.com/t5/network-access-control/ise-arp-inspection-dhcp-snooping/m-p/3525737#M517913 <HTML><HEAD></HEAD><BODY><P>Not clear on question.&nbsp; Port Security (the locking down of a port to specific authorized MAC) may be considered redundant, and in general we do not support the combination of these two features, but ARP inspection is to validate that IP address is one that is seen on port.&nbsp; dACLs or other enforcement could potentially block, but DHCP Snooping is complimentary as it helps verify that DHCP used and the IP address assigned to host.&nbsp; It is also used for instantiating dACLs.</P></BODY></HTML> Mon, 12 Feb 2018 14:10:22 GMT https://community.cisco.com/t5/network-access-control/ise-arp-inspection-dhcp-snooping/m-p/3525737#M517913 Craig Hyps 2018-02-12T14:10:22Z https://community.cisco.com/t5/network-access-control/ise-arp-inspection-dhcp-snooping/m-p/3525738#M517914 <HTML><HEAD></HEAD><BODY><P>Hello Chyps,</P><P></P><P>My question is aimed to get feedback on ISE deployments that might use DHCP snooping and ARP inspection on top as an added security mechanism.</P><P>They way I see it, during the first connection a device is profiled and allowed to access the network only after matching the conditions defined, so rogue DHCP servers would be prevented. Having said that, only on those exceptional cases where a legitimate device gets into the network and later enables any kind of DHCP service, then I could understand the need of DHCP snooping.</P><P></P><P>What's your take on this?</P></BODY></HTML> Mon, 12 Feb 2018 14:42:43 GMT https://community.cisco.com/t5/network-access-control/ise-arp-inspection-dhcp-snooping/m-p/3525738#M517914 Antonio Macia 2018-02-12T14:42:43Z https://community.cisco.com/t5/network-access-control/ise-arp-inspection-dhcp-snooping/m-p/3525739#M517915 <HTML><HEAD></HEAD><BODY><P>What prevents an authorized user from posing as a DHCP server?</P></BODY></HTML> Mon, 12 Feb 2018 14:52:35 GMT https://community.cisco.com/t5/network-access-control/ise-arp-inspection-dhcp-snooping/m-p/3525739#M517915 Craig Hyps 2018-02-12T14:52:35Z https://community.cisco.com/t5/network-access-control/ise-arp-inspection-dhcp-snooping/m-p/3525740#M517916 <HTML><HEAD></HEAD><BODY><P>Actually the active directory domain&nbsp; permissions, but as you know, shadow IT is always present, moreover on an organization with many IT specialists.</P><P>Thanks for the reply chyps, you helped me out to find a valid reason for implementing DHCP snooping and ARP spoofing.</P></BODY></HTML> Tue, 13 Feb 2018 10:50:54 GMT https://community.cisco.com/t5/network-access-control/ise-arp-inspection-dhcp-snooping/m-p/3525740#M517916 Antonio Macia 2018-02-13T10:50:54Z https://community.cisco.com/t5/network-access-control/ise-arp-inspection-dhcp-snooping/m-p/3525741#M517917 <HTML><HEAD></HEAD><BODY><P>Thats where dhcp snooping comes in.&nbsp; trusted ports are identified as the source of dhcp servers.&nbsp; </P></BODY></HTML> Fri, 23 Feb 2018 20:38:35 GMT https://community.cisco.com/t5/network-access-control/ise-arp-inspection-dhcp-snooping/m-p/3525741#M517917 ndemers 2018-02-23T20:38:35Z https://community.cisco.com/t5/network-access-control/ise-arp-inspection-dhcp-snooping/m-p/4298178#M565739 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/292144">@Antonio Macia</a>&nbsp;,</P><P>I currently, looking for implement&nbsp;dynamic ARP inspection with ISE.</P><P>Could you help to share me. how can do that ?</P><P>&nbsp;</P><P>Thank in advance.</P> Fri, 26 Feb 2021 07:09:32 GMT https://community.cisco.com/t5/network-access-control/ise-arp-inspection-dhcp-snooping/m-p/4298178#M565739 sinady 2021-02-26T07:09:32Z