Meraki

Community

Dynamic ARP Inspection (DAI)

Solved
tantony
Head in the Cloud
‎Aug 30 2021 8:17 AM
‎Aug 30 2021 8:17 AM

Dynamic ARP Inspection (DAI)

Sorry if this is the wrong place, I couldn't find a general network section.  My switches are Netgear (I know, I know), and I have DHCP Snooping enabled, and I'm also thinking about enabling Dynamic ARP Inspection (DAI).  Do you guys have DHCP Snooping and DAI enabled at your production network?

 

I know DAI looks at the DHCP Snooping database to compare the MAC and IP, but with people working from their home, what happens when they return to work since their laptops will not be in the DHCP Snooping database.  I know you can manually add them but that's a lot of work.

 

Also, what about 802.1X authentication, anyone using them on their production network?

 

I'm trying to make my production network more secure.

0 Kudos
1 Accepted Solution
In response to tantony
ww
Kind of a big deal
Kind of a big deal
‎Aug 30 2021 10:24 AM
‎Aug 30 2021 10:24 AM

No.

Dhcp snooping prevent dhcp server side packets(offer,ack) from being send from untrusted ports.  (You have to trust ports to the dhcp server like trunks and the port the dhcp server is on)

So it prevents from unwanted dhcp servers on your network

 

 

And it fills the dhcp snooping table based on the dhcp packets.

 

 

View solution in original post

0 Kudos
5 Replies 5
ww
Kind of a big deal
Kind of a big deal
‎Aug 30 2021 9:43 AM
‎Aug 30 2021 9:43 AM

If your clients connect to the switch and get a dhcp address  the snooping table will fill. Only client with static assigned  address need to have a static entry in the switch.

0 Kudos
In response to ww
tantony
Head in the Cloud
‎Aug 30 2021 10:19 AM
‎Aug 30 2021 10:19 AM

Wouldn't the client's MAC already have to be in the DHCP Snooping table even to get DHCP?  I'm talking about a new device that never connected before.

0 Kudos
In response to tantony
ww
Kind of a big deal
Kind of a big deal
‎Aug 30 2021 10:24 AM
‎Aug 30 2021 10:24 AM

No.

Dhcp snooping prevent dhcp server side packets(offer,ack) from being send from untrusted ports.  (You have to trust ports to the dhcp server like trunks and the port the dhcp server is on)

So it prevents from unwanted dhcp servers on your network

 

 

And it fills the dhcp snooping table based on the dhcp packets.

 

 

0 Kudos
In response to ww
tantony
Head in the Cloud
‎Aug 30 2021 10:33 AM
‎Aug 30 2021 10:33 AM

Ah right, I forgot about that part.  I already have the trunk and lags as trusted, and rest untrusted.  

So far, I've only enabled DAI on one of the switch, and everything is working.

0 Kudos
In response to tantony
tantony
Head in the Cloud
‎Aug 30 2021 10:34 AM
‎Aug 30 2021 10:34 AM

Love to hear if anyone is using 802.1X on their network also.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.