06-24-2019 06:14 PM
My question is in regards to Dynamic ARP Inspection. It was recommended that we enable it on our switches as part of the hardening process, but it uses the switch’s DHCP snooping database to allow ARP requests. As we do not use DHCP in the environment, it looks to me like I will have to manually add and remove the static IPs every time the environment is changed. Is there a better way to go about this? Basically we are looking for a control to help prevent ARP poisoning and IP spoofing on the network. We use Nexus switches attached to our VBlock, and there is no DHCP in the environment.
Thanks in advance!
Solved! Go to Solution.
06-24-2019 11:23 PM
Hi,
I think we need DHCP enabled on the network and it is pre-requirement for the same.
06-24-2019 07:51 PM
There seems to be no way around it, if you want Dynamic ARP Inspection in an environment with no DHCP, you need to do manual work.
From the configuration guide, you still need the dhcp feature enabled though.
“If you want DAI to use static IP-MAC address bindings to determine if ARP packets are valid, ensure that the DHCP snooping feature is enabled and that you have configured the static IP-MAC address bindings.”
Configuring Dynamic ARP Inspection
06-25-2019 05:03 AM
Thank you for the reply Hector! I really appreciate the validation!
06-24-2019 11:23 PM
Hi,
I think we need DHCP enabled on the network and it is pre-requirement for the same.
06-25-2019 05:04 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide