Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
952
Views
14
Helpful
6
Replies

Dynamic Arp Inspection

harinirina
Level 1
Level 1

‎03-05-2009 05:54 AM - edited ‎03-06-2019 04:24 AM

Hi all,

We tried to use DAI on a switch. Our IP address is static.

Our problem is that after configuring DAI, no ping responds (ping between PC and switch or between PCs).

We have to put each port as "trust" and then change it to "untrust" before we can ping.

And when port has been blocked by DAI, we have to the same thing so it can ping again.

Labels:
0 Helpful
6 Replies 6

dominic.caron
Level 5
Level 5

‎03-05-2009 07:01 AM

Hi,

DAI uses the table built by DHCP snooping to accept or deny packets. In your case, since your host have static ip adress, you need to build a filter by yourself. I found this in a config guide:

S1(config)# arp access-list H2

S1(config-arp-nacl)# permit ip host 1.1.1.1 mac host 0001.0001.0001

S1(config)# ip arp inspection filter H2 vlan 1

I've implemented DAI and you need to use DHCPsnooping. Manual ACL are unmanageable after a while. This could help you push a all DHCP hidden agenda.

harinirina
Level 1
Level 1
In response to dominic.caron

‎03-06-2009 03:07 AM

Is there other technologie which functions as DAI but on a network using static IP?

There's too many PCs on the network, it will be difficult for us to create filter for each IP/MAC.

0 Helpful

gnijs
Level 4
Level 4
In response to harinirina

‎03-06-2009 05:04 AM

If your boundary between dhcp and static is very clear (ie. 1-240 dhcp, 241-250 static), you can put an DAI ACL on the switches to ignore DAI for ips 241-250.

of course: if the boundary changes, you'll need to adjust the ACL.

However, if your dhcp scopes are not contigious or static ips are random, then it is a real pain in the b**tt to deploy DAI. For me this is one MAJOR disadvantage of DAI and has already led to several cancelled implementions.

A possible way to work around this is to use DHCP with option 82. You can then assign a dhcp address to a switch port. any device connected to that port, will always received the same dhcp ip address (sort of "static" address). this will remove the dai problems with statics....

Geert

harinirina
Level 1
Level 1
In response to gnijs

‎03-09-2009 12:12 AM

Hi,

Colud you give more information about assigning dhcp address to a switch port?

How can we do this?

0 Helpful

gnijs
Level 4
Level 4
In response to harinirina

‎03-09-2009 07:28 AM

First, your DHCP server needs to support it.

Second, more info here

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gdhcpopt.html

0 Helpful

harinirina
Level 1
Level 1
In response to gnijs

‎03-12-2009 12:56 AM

Hi,

We have enabled DHCP snooping, there's no more problem when using DAI without the filter.

However, we couldn't configure the option 82, we don't know how to it.

We use the switch as DHCP server, and a show tells option82 is enabled.

When we test its functionnality by connecting 2 differents PC on one port, they got 2 different IP address.

We tried to configure "ip dhcp relay information check", the following error appear :

"Can't configure relay information option processing while DHCP snooping is enabled"

What should be added on the switch?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card