[c-nsp] ip arp inspection
Lukas Tribus
luky-37 at hotmail.com
Mon Mar 3 09:02:29 EST 2014
Hi,
> Hi,
>
> I have ip dhcp snooping and ip arp inspection enabled:
>
>
> ip arp inspection vlan 311-314
> ip arp inspection validate src-mac dst-mac ip
> ip dhcp snooping vlan 311-314
> ip dhcp snooping
>
> This appears to enforce that, if you are on one of those vlans and
> you don't have a dhcp assigned IP, you can't talk.
>
> I am noticing however that if I do a ping scan of the subnets on
> those vlans, even tho the switch should know what IP's are assigned via
> is dhcp snooping database, it allows the arp's thru anyway for ip
> addresses not in it's database. This seems a bit silly, why not save the
> bandwidth and just drop outgoing arp on ports where the dhcp snooping db
> doesn't have an entry for it?
DAI only intercepts ARP requests from untrusted ports. If you receive an
ARP request on a trusted port, it will always be forwarded [1].
Saving bandwidth is not DAI's job, discarding invalid ARP request/responses
in RX on untrusted ports is. I do understand your point, but DAI is not that.
I'm not aware of any feature doing this, other than blocking all broadcast,
multicast and unkown unicast transmission on the untrusted port.
Regards,
Lukas
[1] http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dynarp.html#wp1082194
More information about the cisco-nsp
mailing list