Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1046
Views
0
Helpful
2
Replies

dynamic arp inspection and arp request

Go to solution
sarahr202
Level 5
Level 5

‎06-23-2012 07:01 PM - edited ‎03-07-2019 07:25 AM

Hi everybody

1)Does a switch configured with dynamic arp inspection only inspect arp replies received on untrusted port by default or it also check arp request?

Dynamic arp inspection according to my book checks target ip address, target mac address carried by arp reply. So if switch has to check arp request, it will not find target ip address and target mac as they are only carried by arp replies.

2) The command " ip arp inspection validate ip' according to my book checks sender'ip address in arp request, checks the sender 's ip address against the targer ip address in all arp replies.

  In nutshell, is it only when  this option  configured  switch  checks both arp request and arp replies as described in (2) ? 

Does by default a switch configured with dynmic arp inspection only check arp replies?

dynamic arp inspection and and hosts with static ip address

Do we still need to use " ip arp inspection vlan RANGE " for hosts with static ip address or  we just need an arp access list and following command

ip arp inspection filter LEE vlan 2"

thanks and have a great weekend.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
smehrnia
Level 7
Level 7

‎06-24-2012 05:53 AM

Hello Again!

1) according to Cisco documentation, dynamic arp instepction intercepts both request and responses on untrusted ports. it checks the validity of the arp packet against a trusted database (i.e.: DHCP binding database or static ARP ACL).

2) ip arp inspection validate ip could be also set with src-mac, dst-mac and only one of the 3 options will apply at a time. so i believe this doesnt have anything to do with #1. this is rather an additional validation option, should u choose to use.

for static hosts and using ARP ACL in non-DHCP environments you just have to use the ip arp inspection filter [ ] vlan command.

by the way, whats the book you r reading, if its ok?

Hope it Helps,

Soroush.

Hope it Helps!

Soroush.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
smehrnia
Level 7
Level 7

‎06-24-2012 05:53 AM

Hello Again!

1) according to Cisco documentation, dynamic arp instepction intercepts both request and responses on untrusted ports. it checks the validity of the arp packet against a trusted database (i.e.: DHCP binding database or static ARP ACL).

2) ip arp inspection validate ip could be also set with src-mac, dst-mac and only one of the 3 options will apply at a time. so i believe this doesnt have anything to do with #1. this is rather an additional validation option, should u choose to use.

for static hosts and using ARP ACL in non-DHCP environments you just have to use the ip arp inspection filter [ ] vlan command.

by the way, whats the book you r reading, if its ok?

Hope it Helps,

Soroush.

Hope it Helps!

Soroush.
0 Helpful

Go to solution
sarahr202
Level 5
Level 5
In response to smehrnia

‎06-24-2012 08:13 AM

Thanks Soroush

CCNP switch by David Hucaby.

) according to Cisco documentation, dynamic arp instepction intercepts  both request and responses on untrusted ports. it checks the validity of  the arp packet against a trusted database (i.e.: DHCP binding database  or static ARP ACL).

If a switch configured with dynamic arp inspection does check arp request besides arp replies. What kind of information  a switch has to compare against dhcp binding database/arp accesslist in the case of arp request?

For example in arp reply  by default switch compares the target ip address,target mac against the dhcp binding database. In case of arp request, a switch configured with dynamic arp inspection, what kind of info carried by arp request, does switch compare against dhcp snooping database? ( keep in mind we are talking about default behavior i.e the switch is not configured to perform any further validation  such as src ip, src mac etc)

Below is arp request frame:

No.     Time        Source                Destination           Protocol Length Address Resolution Protocol Info

     28 168.833000  c0:00:04:dc:00:00     Broadcast             ARP      60     Yes                         Who has 199.199.199.2?  Tell 199.199.199.1

Frame 28: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)

Ethernet II, Src: c0:00:04:dc:00:00 (c0:00:04:dc:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Address Resolution Protocol (request)

    Hardware type: Ethernet (1)

    Protocol type: IP (0x0800)

    Hardware size: 6

    Protocol size: 4

    Opcode: request (1)

    [Is gratuitous: False]

    Sender MAC address: c0:00:04:dc:00:00 (c0:00:04:dc:00:00)

    Sender IP address: 199.199.199.1 (199.199.199.1)

    Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)

    Target IP address: 199.199.199.2 (199.199.199.2)

thanks and have a great weekend.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card