I am in the process of planning an implantation of DHCP Snooping and Dynamic ARP Inspection. The network is using Ubiquiti AP’s with Cat 2960X switches.
The AP ports are configured as trunks with the necessary VLANS tagged. However, there will be a few locations where roaming will push you onto a new access switch as you enter a new block. My thinking to combat this is to ‘trust’ the AP ports so DAI doesn’t go mental when someone switches switch.
However, doesn’t that defeat the object of DAI in the first place? Now an attacker can “connect” to the WiFi and start an ARP poisoning attack, and I’m allowing it!!
Is there any other way around this? Like access switches being able to share their DHCP Snooping bindings?
Originally posted on r/Cisco but thought it might get a more traction here with other vendors involved.
No comments:
Post a Comment