DHCP snooping and Dynamic ARP Inspection

SOLVED
tantony
Head in the Cloud

DHCP snooping and Dynamic ARP Inspection

Sorry if this is the wrong place to ask, but my switches are Netgear switches.

 

I would like to enable DHCP snooping and Dynamic ARP Inpection (DAI) on my switches.  If I understand correctly, DAI works with the DHSP snooping database to compare the MAC address.  My question is, if I enable DHCP snooping, do I have to enable DAI also to work properly?  

 

Can I just enable DHCP snooping?  The reason is because I tried DHCP snooping + DAI on one of the switches to test, and as soon as I enabled DAI, I lost the uplink.

1 ACCEPTED SOLUTION
KarstenI
Kind of a big deal


@tantony wrote:

@KarstenI 

I agree I need Meraki switches, I have a MX84 does that count? 😀


So there is hope ... 🙂

 


Just to make sure I understand, if I enable DHCP snooping, I don't HAVE to enable DAI.

correct.

 


But for DAI to work efficiently, the DHCP snooping database need to populate.

 

Is that right?  I'm new to switch security.


Yes, just think about what we want to protect against: The attacker sends a gratuitous ARP-reply where he pretends that his own MAC-address belongs to the IP of someone else. The switch wants to detect that this ARP-reply is a lie and the MAC-to-IP binding contained is wrong. For this to detect, the switch needs all the correct bindings of IP to MAC-addresses. DHCP-Snooping is the typical tool for the Switch to learn the binding. When the client does the DHCP-process, the Switch sees both the MAC of the client and the assigned IP from the server. And this binding is considered true for the other operations like DAI.

View solution in original post

4 REPLIES 4
KarstenI
Kind of a big deal

Yes, for Netgear it is the wrong place ... This is Meraki here, but you'll be fine after correcting your network. 😉

In general, DHCP-Snooping and DAI is quite similar with different vendors. DAI needs a working DHCP-Snooping, but DHCP-Snooping does not need DAI.

Typically you first activate DHCP-Snooping and then you have to wait for the Snooping-database to be populated. If this database is not complete (learned or manually configured), DAI can not do its work as it is not aware of the systems IP-to-Mac-binding.

tantony
Head in the Cloud

@KarstenI 

I agree I need Meraki switches, I have a MX84 does that count? 😀

 

Just to make sure I understand, if I enable DHCP snooping, I don't HAVE to enable DAI.

 

But for DAI to work efficiently, the DHCP snooping database need to populate.

 

Is that right?  I'm new to switch security.

KarstenI
Kind of a big deal


@tantony wrote:

@KarstenI 

I agree I need Meraki switches, I have a MX84 does that count? 😀


So there is hope ... 🙂

 


Just to make sure I understand, if I enable DHCP snooping, I don't HAVE to enable DAI.

correct.

 


But for DAI to work efficiently, the DHCP snooping database need to populate.

 

Is that right?  I'm new to switch security.


Yes, just think about what we want to protect against: The attacker sends a gratuitous ARP-reply where he pretends that his own MAC-address belongs to the IP of someone else. The switch wants to detect that this ARP-reply is a lie and the MAC-to-IP binding contained is wrong. For this to detect, the switch needs all the correct bindings of IP to MAC-addresses. DHCP-Snooping is the typical tool for the Switch to learn the binding. When the client does the DHCP-process, the Switch sees both the MAC of the client and the assigned IP from the server. And this binding is considered true for the other operations like DAI.

tantony
Head in the Cloud

@KarstenI 

Thank you 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels