Dynamic Arp Inspection

Unanswered Question
Mar 5th, 2009
User Badges:

Hi all,


We tried to use DAI on a switch. Our IP address is static.



Our problem is that after configuring DAI, no ping responds (ping between PC and switch or between PCs).


We have to put each port as "trust" and then change it to "untrust" before we can ping.


And when port has been blocked by DAI, we have to the same thing so it can ping again.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
Loading.
dominic.caron Thu, 03/05/2009 - 07:01
User Badges:
  • Silver, 250 points or more

Hi,


DAI uses the table built by DHCP snooping to accept or deny packets. In your case, since your host have static ip adress, you need to build a filter by yourself. I found this in a config guide:


S1(config)# arp access-list H2

S1(config-arp-nacl)# permit ip host 1.1.1.1 mac host 0001.0001.0001

S1(config)# ip arp inspection filter H2 vlan 1


I've implemented DAI and you need to use DHCPsnooping. Manual ACL are unmanageable after a while. This could help you push a all DHCP hidden agenda.

harinirina Fri, 03/06/2009 - 03:07
User Badges:

Is there other technologie which functions as DAI but on a network using static IP?


There's too many PCs on the network, it will be difficult for us to create filter for each IP/MAC.

gnijs Fri, 03/06/2009 - 05:04
User Badges:
  • Bronze, 100 points or more

If your boundary between dhcp and static is very clear (ie. 1-240 dhcp, 241-250 static), you can put an DAI ACL on the switches to ignore DAI for ips 241-250.

of course: if the boundary changes, you'll need to adjust the ACL.


However, if your dhcp scopes are not contigious or static ips are random, then it is a real pain in the b**tt to deploy DAI. For me this is one MAJOR disadvantage of DAI and has already led to several cancelled implementions.


A possible way to work around this is to use DHCP with option 82. You can then assign a dhcp address to a switch port. any device connected to that port, will always received the same dhcp ip address (sort of "static" address). this will remove the dai problems with statics....


Geert

harinirina Mon, 03/09/2009 - 00:12
User Badges:

Hi,


Colud you give more information about assigning dhcp address to a switch port?


How can we do this?

harinirina Thu, 03/12/2009 - 00:56
User Badges:

Hi,


We have enabled DHCP snooping, there's no more problem when using DAI without the filter.


However, we couldn't configure the option 82, we don't know how to it.


We use the switch as DHCP server, and a show tells option82 is enabled.


When we test its functionnality by connecting 2 differents PC on one port, they got 2 different IP address.


We tried to configure "ip dhcp relay information check", the following error appear :


"Can't configure relay information option processing while DHCP snooping is enabled"



What should be added on the switch?

Actions

This Discussion