Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10020
Views
0
Helpful
5
Replies

Dynamic ARP Inspection (DAI)

Go to solution
tantony
Level 6
Level 6

‎08-30-2021 08:17 AM

Sorry if this is the wrong place, I couldn't find a general network section. My switches are Netgear (I know, I know), and I have DHCP Snooping enabled, and I'm also thinking about enabling Dynamic ARP Inspection (DAI). Do you guys have DHCP Snooping and DAI enabled at your production network?

I know DAI looks at the DHCP Snooping database to compare the MAC and IP, but with people working from their home, what happens when they return to work since their laptops will not be in the DHCP Snooping database. I know you can manually add them but that's a lot of work.

Also, what about 802.1X authentication, anyone using them on their production network?

I'm trying to make my production network more secure.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ww^
Meraki Community All-Star
Meraki Community All-Star
In response to tantony

‎08-30-2021 10:24 AM

No.

Dhcp snooping prevent dhcp server side packets(offer,ack) from being send from untrusted ports. (You have to trust ports to the dhcp server like trunks and the port the dhcp server is on)

So it prevents from unwanted dhcp servers on your network

And it fills the dhcp snooping table based on the dhcp packets.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ww^
Meraki Community All-Star
Meraki Community All-Star

‎08-30-2021 09:43 AM

If your clients connect to the switch and get a dhcp address the snooping table will fill. Only client with static assigned address need to have a static entry in the switch.

0 Helpful

Go to solution
tantony
Level 6
Level 6
In response to ww^

‎08-30-2021 10:19 AM

Wouldn't the client's MAC already have to be in the DHCP Snooping table even to get DHCP? I'm talking about a new device that never connected before.

0 Helpful

Go to solution
ww^
Meraki Community All-Star
Meraki Community All-Star
In response to tantony

‎08-30-2021 10:24 AM

No.

Dhcp snooping prevent dhcp server side packets(offer,ack) from being send from untrusted ports. (You have to trust ports to the dhcp server like trunks and the port the dhcp server is on)

So it prevents from unwanted dhcp servers on your network

And it fills the dhcp snooping table based on the dhcp packets.

0 Helpful

Go to solution
tantony
Level 6
Level 6
In response to ww^

‎08-30-2021 10:33 AM

Ah right, I forgot about that part. I already have the trunk and lags as trusted, and rest untrusted.

So far, I've only enabled DAI on one of the switch, and everything is working.

0 Helpful

Go to solution
tantony
Level 6
Level 6
In response to tantony

‎08-30-2021 10:34 AM

Love to hear if anyone is using 802.1X on their network also.

0 Helpful
Customers Also Viewed These Support Documents