My question is in regards to Dynamic ARP Inspection. It was recommended that we enable it on our switches as part of the hardening process, but it uses the switch’s DHCP snooping database to allow ARP requests. As we do not use DHCP in the environment, it looks to me like I will have to manually add and remove the static IPs every time the environment is changed. Is there a better way to go about this? Basically we are looking for a control to help prevent ARP poisoning and IP spoofing on the network. We use Nexus switches attached to our VBlock, and there is no DHCP in the environment.
Thanks in advance!
Solved! Go to Solution.
There seems to be no way around it, if you want Dynamic ARP Inspection in an environment with no DHCP, you need to do manual work.
From the configuration guide, you still need the dhcp feature enabled though.
“If you want DAI to use static IP-MAC address bindings to determine if ARP packets are valid, ensure that the DHCP snooping feature is enabled and that you have configured the static IP-MAC address bindings.”