Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
3389
Views
5
Helpful
6
Replies

ISE & ARP inspection & DHCP snooping

Go to solution
Antonio Macia
Level 3
Level 3

ā€Ž02-10-2018 08:50 AM

Hello there,

Makes sense configuring arp inspection and DHCP snooping on a network where access is controlled by ISE? I mean, if access is based on dot1x and MAB using profiling and all the traffic is blocked until the device matches an authorization policy, wouldn't be redundant protections?

Regards.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

ā€Ž02-12-2018 06:10 AM

Not clear on question.  Port Security (the locking down of a port to specific authorized MAC) may be considered redundant, and in general we do not support the combination of these two features, but ARP inspection is to validate that IP address is one that is seen on port.  dACLs or other enforcement could potentially block, but DHCP Snooping is complimentary as it helps verify that DHCP used and the IP address assigned to host.  It is also used for instantiating dACLs.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Craig Hyps
Level 10
Level 10

ā€Ž02-12-2018 06:10 AM

Not clear on question.  Port Security (the locking down of a port to specific authorized MAC) may be considered redundant, and in general we do not support the combination of these two features, but ARP inspection is to validate that IP address is one that is seen on port.  dACLs or other enforcement could potentially block, but DHCP Snooping is complimentary as it helps verify that DHCP used and the IP address assigned to host.  It is also used for instantiating dACLs.

0 Helpful

Go to solution
Antonio Macia
Level 3
Level 3
In response to Craig Hyps

ā€Ž02-12-2018 06:42 AM

Hello Chyps,

My question is aimed to get feedback on ISE deployments that might use DHCP snooping and ARP inspection on top as an added security mechanism.

They way I see it, during the first connection a device is profiled and allowed to access the network only after matching the conditions defined, so rogue DHCP servers would be prevented. Having said that, only on those exceptional cases where a legitimate device gets into the network and later enables any kind of DHCP service, then I could understand the need of DHCP snooping.

What's your take on this?

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Antonio Macia

ā€Ž02-12-2018 06:52 AM

What prevents an authorized user from posing as a DHCP server?

0 Helpful

Go to solution
Antonio Macia
Level 3
Level 3
In response to Craig Hyps

ā€Ž02-13-2018 02:50 AM

Actually the active directory domain  permissions, but as you know, shadow IT is always present, moreover on an organization with many IT specialists.

Thanks for the reply chyps, you helped me out to find a valid reason for implementing DHCP snooping and ARP spoofing.

0 Helpful

Go to solution
sinady
Level 1
Level 1
In response to Antonio Macia

ā€Ž02-25-2021 11:09 PM

@Antonio Macia ,

I currently, looking for implement dynamic ARP inspection with ISE.

Could you help to share me. how can do that ?

 

Thank in advance.

Go to solution
ndemers
Cisco Employee
Cisco Employee
In response to Craig Hyps

ā€Ž02-23-2018 12:38 PM

Thats where dhcp snooping comes in.  trusted ports are identified as the source of dhcp servers. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents