Hi Gitau,
ARP Snooping and DHCP Snooping combination works pretty well on a Cisco
campus network design.
HRSP Standby IP/MAC address would hardly be used as source addresses ingress
on access ports on the 3750 switches and hence the DHCP binding DB must not
contain such bindings for a successful operation.
The switchports on the 3750 facing the clients on the access network are the
ones protected. Therefore, all clients connected via those ports would need
to have valid IP-MAC (and VLAN, port numbers. etc) binding to be present in
the DB for traffic coming from such hosts be allowed into the port. These
would be the untrusted ports from DHCP and ARP Inspection point of view.
Now, all trunk links towards the core (datacentre) where your DHCP server is
located must be configured as trusted ports. This is because DHCP messages
coming from the server would be seen on those links and therefore a trust
would need to be assigned on all ports that would carry ingress DHCP server
messages.
Now, dont forget your DHCP Information Option insertion on your 3750s! You
need to configure "no ip dhcp snooping information option" to stop the
insertion of information into DHCP messages from your clients on the access
switches. This is only one way of dealing with this issue though, as there
are more options. I am sure you get the idea anyway.
I have worked pretty exhaustively with a network where HSRP + IP ARP
Inspection + DHCP Snooping combination has worked pretty well with no issues
at all!
If problem persists, some configuration would be helpful to further
troubleshoot this issue.
HTH,
Sadiq
On Mon, Aug 1, 2011 at 5:44 PM, John Gitau <jgitau_at_gmail.com> wrote:
> One of my clients has an interesting issue:
> <------quote---->
> How to deploy ARP injection safeguards in a campus in the environment
> below:
>
> * 2 4500 switches supporting over 25 3750 Series Switches
> connecting over 500 users.
> * Each Switch has two uplinks to the 4500 on fibre and running RSTP
> * Campus LAN is segmented using VLANs for Voice and Data.
>
> ARP inspection and DHCP Snooping are supposed to work together.
>
> One of the challenges for instance is, how do you bind a HSRP standby
> IP by its MAC address where it has no interface of it's own or do you
> use its SVI address?
>
> I feel the trust relations are not forming well enough, thus the
> uplinks keep getting shut.
>
> Does the Native VLAN play a role in these configurations?
> -------</quote>------
>
> As I work with them to recreate this in a lab, it would be nice to
> know if anyone has some experience on the above.
>
> Gitau
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- CCIEx2 (R&S|Sec) #19963 Blogs and organic groups at http://www.ccie.netReceived on Tue Aug 02 2011 - 10:43:32 ART
This archive was generated by hypermail 2.2.0 : Thu Sep 01 2011 - 06:05:56 ART