Dynamic ARP Inspection (DAI)

SOLVED
tantony
Head in the Cloud

Dynamic ARP Inspection (DAI)

Sorry if this is the wrong place, I couldn't find a general network section.  My switches are Netgear (I know, I know), and I have DHCP Snooping enabled, and I'm also thinking about enabling Dynamic ARP Inspection (DAI).  Do you guys have DHCP Snooping and DAI enabled at your production network?

 

I know DAI looks at the DHCP Snooping database to compare the MAC and IP, but with people working from their home, what happens when they return to work since their laptops will not be in the DHCP Snooping database.  I know you can manually add them but that's a lot of work.

 

Also, what about 802.1X authentication, anyone using them on their production network?

 

I'm trying to make my production network more secure.

1 ACCEPTED SOLUTION
ww
Kind of a big deal
Kind of a big deal

No.

Dhcp snooping prevent dhcp server side packets(offer,ack) from being send from untrusted ports.  (You have to trust ports to the dhcp server like trunks and the port the dhcp server is on)

So it prevents from unwanted dhcp servers on your network

 

 

And it fills the dhcp snooping table based on the dhcp packets.

 

 

View solution in original post

5 REPLIES 5
ww
Kind of a big deal
Kind of a big deal

If your clients connect to the switch and get a dhcp address  the snooping table will fill. Only client with static assigned  address need to have a static entry in the switch.

tantony
Head in the Cloud

Wouldn't the client's MAC already have to be in the DHCP Snooping table even to get DHCP?  I'm talking about a new device that never connected before.

ww
Kind of a big deal
Kind of a big deal

No.

Dhcp snooping prevent dhcp server side packets(offer,ack) from being send from untrusted ports.  (You have to trust ports to the dhcp server like trunks and the port the dhcp server is on)

So it prevents from unwanted dhcp servers on your network

 

 

And it fills the dhcp snooping table based on the dhcp packets.

 

 

tantony
Head in the Cloud

Ah right, I forgot about that part.  I already have the trunk and lags as trusted, and rest untrusted.  

So far, I've only enabled DAI on one of the switch, and everything is working.

tantony
Head in the Cloud

Love to hear if anyone is using 802.1X on their network also.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.