DHCP Authorized ARP and HSRP

Unanswered Question
Aug 4th, 2008

Hi there,

I will very much appreciate suggestinos on the following problem.

We are stting up a new network with HA and redundancy.

We are using 2 2811 routers connected to

2 catalyst (one 4006 and another 4507).

2811's are acting as DHCP servers, and form an HSRP group.

Default gw for all clients is the same for all clients and served by both 2811's.

Problem wihs taht any user could not change ip conf on labtop an fix the ip conf. But there is no Domain controller neither user administration policy.

They want to implement via networking equipment.

We assume that is not possible, and only approaches can be implemented.

We have configured 802.1x, and it is working.

We also have configured DHCP Authorized ARP, and it seems working, but the problem is that Default Gw is always the same.

Assume 2811A is acting as gw.

Packets sourced by a labtop which ip config was obtained trhough 2811B and reaching gw (2811A) are blocked due to DHCP authorized ARP.

How can we by pass this issue?

Thx

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 08/04/2008 - 13:28

Hello Inaki,

>> Packets sourced by a labtop which ip config was obtained trhough 2811B and reaching gw (2811A) are blocked due to DHCP authorized ARP.

I see two ways:

use two HSRP groups on the same VLAN and have 2811B be the master of HSRP-group B and the DHCP scope on 2811B to give as GW the VIP of this second HSRP group.

find a way to delay the DHCP response of 2811B so that all users will likely get their IP addresses from 2811A until 2811A is alive.

However, what will happen when 2811A dies or at least has its interface in the VLAN disconnected ?

You should have a repository for all leases on a separate host I think in order to be able to achieve real redundancy

see:

When you configure a DHCP policy, you must define the IP address pools for the server to use to provide addresses to DHCP clients. In addition, you can optionally define the following:

•>>> External DHCP database agent.

Understanding DHCP Database Agents

A DHCP database agent is any external host-for example, an FTP, TFTP, or RCP server-that stores the DHCP bindings database. You can include one or more DHCP database agents in each DHCP policy, as well as configure the interval between database updates to the agent.

If both routers update the same database this could help if they look at the external DB to decide if a user is authorized or not.

However, because you are already using 802.1X authentication using DHCP Authorized ARP can be too much.

Hope to help

Giuseppe

iraira Tue, 08/05/2008 - 01:48

Many thx Giuseppe,

Sharing of DHCP database seems to be useful, but we have to face to another issue which is how can we "synchronize" or share ARP resolutions tables between both routers, in a manner that arp requests are not blocked?

Coul U help.

Thx again.

Giuseppe Larosa Tue, 08/05/2008 - 04:44

Hello Inaki,

>> how can we "synchronize" or share ARP resolutions tables between both routers, in a manner that arp requests are not blocked?

This is the problem.

I would suggest to use IP source guard on the switch instead of using this DHCP based feature.

In this way you have an authorized device (by 802.1X) that gets a legitimate IP address from dhcp server.

The switch will track the ip address and the MAC address on the switch port and this is fine until the user swap two LAN cables.

However, in this way you avoid the DHCP DB sync problem among the two routers.

You want legitimate users to authenticate get an IP address and to stay with that IP address.

IP source guard + ip dhcp binding + Dynamic ARP inspection >> on the switches >> should be enough to achieve these results allowing for real redundancy at the router level.

Hope to help

Giuseppe

iraira Wed, 08/06/2008 - 02:48

Thx again, Giuseppe,

we are testing.

Let U know..

Actions

This Discussion