Cisco switch ARP Inspection

Daniel333Daniel333 Member Posts: 2,077 ■■■■■■□□□□
in Off-Topic
Hey guys,

Anyone actually use Cisco switches with arp inspection? I never have. I am just curious what kinds of challenges you have run into? Benefits realized? etc. Just general input and thoughts would be appreciated.

thanks,
-Daniel
· Share on FacebookShare on Twitter

Comments

  • powerfoolpowerfool Member Posts: 1,666 ■■■■■■■■□□
    The CCNA Security and CCSP SNRS exams cover these concepts. There are many aspects of Layer 2 security. Port Security is one option available. In addition, securing the DHCP implementation by only trusting the DHCP server your organization supports allows a Cisco switch to use DHCP snooping to watch IP and MAC address pairings and use it as an authoritative source of information to keep ARP attacks from occurring.
    2024 Renew: [ ] AZ-204 [ ] AZ-305 [ ] AZ-400 [ ] AZ-500 [ ] Vault Assoc.
    2024 New: [X] AWS SAP [ ] CKA [ ] Terraform Auth/Ops Pro
    · Share on FacebookShare on Twitter
  • Daniel333Daniel333 Member Posts: 2,077 ■■■■■■□□□□
    I am only familiar with it from my cert studies.

    I was curious if you (or anyone else) currently uses it? What kind of troubles have you had?
    -Daniel
    · Share on FacebookShare on Twitter
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    Daniel333 wrote: »
    I am only familiar with it from my cert studies.

    I was curious if you (or anyone else) currently uses it? What kind of troubles have you had?

    What do you mean by troubles?
    · Share on FacebookShare on Twitter
  • Daniel333Daniel333 Member Posts: 2,077 ■■■■■■□□□□
    Well, I went to deploy it the other day. Small two switch, 3 server site. Our senior engineer told me not to. That it "causes" issues.

    Works fine in my lab. No idea why I wouldn't do this. He wouldn't elaborate at all, and dismissed me.

    Just looking to see people's overall experiences.
    -Daniel
    · Share on FacebookShare on Twitter
  • instant000instant000 Member Posts: 1,745
    Daniel333 wrote: »
    Well, I went to deploy it the other day. Small two switch, 3 server site. Our senior engineer told me not to. That it "causes" issues.

    Works fine in my lab. No idea why I wouldn't do this. He wouldn't elaborate at all, and dismissed me.

    Just looking to see people's overall experiences.

    I have a specific case where we were deploying an environmnal monitor equipment, and it turned out that there was an error in the log (found under "sh log") that was attributed to "arp inspection"

    I'll admit that I just googled up the error message at that very moment, and fixed the problem, and never gave the issue another thought, until you mentioned this just now.

    I apologize that I am not worth more help to you at this time, LOL.

    If the senior engineer is referring to issues, he may be knowledgeable about equipment that you may have, that might introduce this type of issue. If I were you, I would ask him to elaborate.

    According to the article I just read up about this in about five minutes (admitted, not much research) Any issues caused by implementing it can be readily remedied ... but let me re-confirm that I only looked at this for about five minutes.

    Security Features on Switches > Dynamic ARP Inspection (DAI)
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    · Share on FacebookShare on Twitter
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    It works well when implemented properly. The only time I've ever seen issues with it are on badly designed networks.

    With that being said, we don't deploy it. We have other methods to detect rogue DHCP servers.
    · Share on FacebookShare on Twitter
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    Forsaken_GA wrote: »
    It works well when implemented properly. The only time I've ever seen issues with it are on badly designed networks.

    With that being said, we don't deploy it. We have other methods to detect rogue DHCP servers.

    ip dhcp snoop?
    · Share on FacebookShare on Twitter
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    phoeneous wrote: »
    ip dhcp snoop?

    Newp!

    I'm not being coy, I can't go into details. Operational security, and all that.
    · Share on FacebookShare on Twitter
  • AlanJamesAlanJames Member Posts: 230
    yeah done it a couple time for clients.

    works well.

    only issue i had was with devices that had static IP addresses, printers and the like.

    You can either make it a trusted port, or create a mac access list and add the mac address manually.

    note, that you have to enable DHCP snooping to use Dynamic ARP inspection.

    A
    · Share on FacebookShare on Twitter
  • AlanJamesAlanJames Member Posts: 230
    BTW "DAI - Dynamic Arp Inspection" is not a security feature to detect rouge DHCP servers, thats dhcp snooping.
    · Share on FacebookShare on Twitter
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    AlanJames wrote: »
    BTW "DAI - Dynamic Arp Inspection" is not a security feature to detect rouge DHCP servers, thats dhcp snooping.

    No, it's just a requirement, which I think is particularly stupid.

    Deploying DAI is alot like deploying QoS. You have to plan it out properly, or else there are unforseen consequences. If all your switches support it, it's not such a big deal, but if you have some that don't, it gets kind of icky. Reminded me far too much of setting up domain trusts in a windows environment
    · Share on FacebookShare on Twitter
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    Forsaken_GA wrote: »
    Reminded me far too much of setting up domain trusts in a windows environment

    Fun times! icon_thumright.gif
    · Share on FacebookShare on Twitter
Sign In or Register to comment.