Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3950
Views
5
Helpful
6
Replies

ISE & ARP inspection & DHCP snooping

Go to solution
Antonio Macia
Level 3
Level 3

‎02-10-2018 08:50 AM

Hello there,

Makes sense configuring arp inspection and DHCP snooping on a network where access is controlled by ISE? I mean, if access is based on dot1x and MAB using profiling and all the traffic is blocked until the device matches an authorization policy, wouldn't be redundant protections?

Regards.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎02-12-2018 06:10 AM

Not clear on question.  Port Security (the locking down of a port to specific authorized MAC) may be considered redundant, and in general we do not support the combination of these two features, but ARP inspection is to validate that IP address is one that is seen on port.  dACLs or other enforcement could potentially block, but DHCP Snooping is complimentary as it helps verify that DHCP used and the IP address assigned to host.  It is also used for instantiating dACLs.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Craig Hyps
Level 10
Level 10

‎02-12-2018 06:10 AM

Not clear on question.  Port Security (the locking down of a port to specific authorized MAC) may be considered redundant, and in general we do not support the combination of these two features, but ARP inspection is to validate that IP address is one that is seen on port.  dACLs or other enforcement could potentially block, but DHCP Snooping is complimentary as it helps verify that DHCP used and the IP address assigned to host.  It is also used for instantiating dACLs.

0 Helpful

Go to solution
Antonio Macia
Level 3
Level 3
In response to Craig Hyps

‎02-12-2018 06:42 AM

Hello Chyps,

My question is aimed to get feedback on ISE deployments that might use DHCP snooping and ARP inspection on top as an added security mechanism.

They way I see it, during the first connection a device is profiled and allowed to access the network only after matching the conditions defined, so rogue DHCP servers would be prevented. Having said that, only on those exceptional cases where a legitimate device gets into the network and later enables any kind of DHCP service, then I could understand the need of DHCP snooping.

What's your take on this?

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Antonio Macia

‎02-12-2018 06:52 AM

What prevents an authorized user from posing as a DHCP server?

0 Helpful

Go to solution
Antonio Macia
Level 3
Level 3
In response to Craig Hyps

‎02-13-2018 02:50 AM

Actually the active directory domain  permissions, but as you know, shadow IT is always present, moreover on an organization with many IT specialists.

Thanks for the reply chyps, you helped me out to find a valid reason for implementing DHCP snooping and ARP spoofing.

0 Helpful

Go to solution
sinady
Level 1
Level 1
In response to Antonio Macia

‎02-25-2021 11:09 PM

@Antonio Macia ,

I currently, looking for implement dynamic ARP inspection with ISE.

Could you help to share me. how can do that ?

 

Thank in advance.

Go to solution
ndemers
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎02-23-2018 12:38 PM

Thats where dhcp snooping comes in.  trusted ports are identified as the source of dhcp servers. 

0 Helpful
Customers Also Viewed These Support Documents