Cisco switch ARP Inspection

Hey guys,

Anyone actually use Cisco switches with arp inspection? I never have. I am just curious what kinds of challenges you have run into? Benefits realized? etc. Just general input and thoughts would be appreciated.

thanks,

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

powerfool

The CCNA Security and CCSP SNRS exams cover these concepts. There are many aspects of Layer 2 security. Port Security is one option available. In addition, securing the DHCP implementation by only trusting the DHCP server your organization supports allows a Cisco switch to use DHCP snooping to watch IP and MAC address pairings and use it as an authoritative source of information to keep ARP attacks from occurring.

Daniel333

I am only familiar with it from my cert studies.

I was curious if you (or anyone else) currently uses it? What kind of troubles have you had?

Daniel333

Well, I went to deploy it the other day. Small two switch, 3 server site. Our senior engineer told me not to. That it "causes" issues.

Works fine in my lab. No idea why I wouldn't do this. He wouldn't elaborate at all, and dismissed me.

Just looking to see people's overall experiences.

instant000

Daniel333 wrote: »

Well, I went to deploy it the other day. Small two switch, 3 server site. Our senior engineer told me not to. That it "causes" issues.

Works fine in my lab. No idea why I wouldn't do this. He wouldn't elaborate at all, and dismissed me.

Just looking to see people's overall experiences.

I have a specific case where we were deploying an environmnal monitor equipment, and it turned out that there was an error in the log (found under "sh log") that was attributed to "arp inspection"

I'll admit that I just googled up the error message at that very moment, and fixed the problem, and never gave the issue another thought, until you mentioned this just now.

I apologize that I am not worth more help to you at this time, LOL.

If the senior engineer is referring to issues, he may be knowledgeable about equipment that you may have, that might introduce this type of issue. If I were you, I would ask him to elaborate.

According to the article I just read up about this in about five minutes (admitted, not much research) Any issues caused by implementing it can be readily remedied ... but let me re-confirm that I only looked at this for about five minutes.

Security Features on Switches > Dynamic ARP Inspection (DAI)

Forsaken_GA

It works well when implemented properly. The only time I've ever seen issues with it are on badly designed networks.

With that being said, we don't deploy it. We have other methods to detect rogue DHCP servers.

Forsaken_GA

phoeneous wrote: »

ip dhcp snoop?

Newp!

I'm not being coy, I can't go into details. Operational security, and all that.

AlanJames

yeah done it a couple time for clients.

works well.

only issue i had was with devices that had static IP addresses, printers and the like.

You can either make it a trusted port, or create a mac access list and add the mac address manually.

note, that you have to enable DHCP snooping to use Dynamic ARP inspection.

A

AlanJames

BTW "DAI - Dynamic Arp Inspection" is not a security feature to detect rouge DHCP servers, thats dhcp snooping.

Forsaken_GA

AlanJames wrote: »

BTW "DAI - Dynamic Arp Inspection" is not a security feature to detect rouge DHCP servers, thats dhcp snooping.

No, it's just a requirement, which I think is particularly stupid.

Deploying DAI is alot like deploying QoS. You have to plan it out properly, or else there are unforseen consequences. If all your switches support it, it's not such a big deal, but if you have some that don't, it gets kind of icky. Reminded me far too much of setting up domain trusts in a windows environment