DAI for PVLANs

Unanswered Question
Apr 29th, 2009
User Badges:
  • Gold, 750 points or more

Dear all,


DAI combined with DHCP snooping binding table secures against man in the middle by blocking ARP requests not in binding table.


I am using DAI in combination with PVLANs, however arp entries do not flush even after the configured arp time out expires. This means, DAI no longer works for me as when DHCP binding table is flushed for a given MAC address, the ARP entry mapping still exist...so I can still communicate with host on other end of PVLAN.


When I clear the arp entry manually, DAI seems to function by disallowing a new MAC-IP mapping.


1-Sticky arp has been disabled globally.

2-port is definitely not trusted for either ARP or DHCP.


Any thoughts ?


TIA


Sam

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 04/29/2009 - 04:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sam,

DAI and DHCP snooping are usually proposed as alternative to private vlans.

if you use isolated secondary vlan ports what is the advantage of using also DAI ?


Said this you are probably hitting a bug.


I see in C3750 config guide that declares support of DAI on private vlan ports.


Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and >> private VLAN ports.


http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/swdynarp.html


An IOS upgrade to last release could help.


Hope to help

Giuseppe


cisco_lad2004 Wed, 04/29/2009 - 04:24
User Badges:
  • Gold, 750 points or more

Thanks Giuseppe !


I am using PVLAN to ensure my isolated hosts do not cross talk at L2 layer. However DAI and DHCP snooping is to ensure no man in middle communicates with Primary VLAN.


So the 2 functions or requirements are different.


but I agree, I can also smell a bug, just need to be sure there are no restrictions when combining PVLAN with DAI that I have overlooked.


Sam

cisco_lad2004 Wed, 04/29/2009 - 04:57
User Badges:
  • Gold, 750 points or more

Thanks Giuseppe !


I am using PVLAN to ensure my isolated hosts do not cross talk at L2 layer. However DAI and DHCP snooping is to ensure no man in middle communicates with Primary VLAN.


So the 2 functions or requirements are different.


but I agree, I can also smell a bug, just need to be sure there are no restrictions when combining PVLAN with DAI that I have overlooked.


Sam

Actions

This Discussion