Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
318
Views
0
Helpful
1
Replies

question about dynamic arp inspection

Dr.X
Level 2
Level 2

‎01-11-2013 06:46 AM - edited ‎03-07-2019 11:02 AM

hi ,

i want to ask about dynamic arp inspection ,

if i configured a port with a trust for dynamic arp inspection .

and that port has a router with static ip , i mean no dhcp .

do i need to bind the mac & ip of the router interface in the database ??

just need simple explanation about steps in dynamic arp .

my confusion point is , if the port configured with trust , do i need to bind its mac & ip ? , & why if yes ? , why if no. ?

regards

Labels:
0 Helpful
1 Reply 1

Rolf Fischer
Level 9
Level 9

‎01-11-2013 10:03 AM

On a trusted port, no bindings are needed.

Typical examples for trusted ports are uplinks and switchports with non-DHCP edgedevices connected.

Another option for non-DHCP edgedevices is to create a so-called ARP-ACL to indentify them and use the "ip arp inspection filter vlan" command:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i1.html#GUID-085AC04D-5477-4D9F-B53B-D047AFF6B804
This gives much more control than trusting every device.

do i need to bind the mac & ip of the router interface in the database ??

A static (manual) DHCP snooping binding, on the other hand, can be useful on a untrusted (edge-)port.

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ipaddr-i2.html#GUID-6AE5EA0B-F0F1-40CC-ADDE-8A758ABF80A7

BTW, DAI is enabled on a per-VLAN basis. I personally wouldn't enable it for a Mgmt-VLAN but rather for client-VLANs.

HTH

Rolf

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card