Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
0
Helpful
3
Replies

DAI for PVLANs

cisco_lad2004
Level 5
Level 5

‎04-29-2009 02:54 AM - edited ‎03-06-2019 05:26 AM

Dear all,

DAI combined with DHCP snooping binding table secures against man in the middle by blocking ARP requests not in binding table.

I am using DAI in combination with PVLANs, however arp entries do not flush even after the configured arp time out expires. This means, DAI no longer works for me as when DHCP binding table is flushed for a given MAC address, the ARP entry mapping still exist...so I can still communicate with host on other end of PVLAN.

When I clear the arp entry manually, DAI seems to function by disallowing a new MAC-IP mapping.

1-Sticky arp has been disabled globally.

2-port is definitely not trusted for either ARP or DHCP.

Any thoughts ?

TIA

Sam

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎04-29-2009 04:17 AM

Hello Sam,

DAI and DHCP snooping are usually proposed as alternative to private vlans.

if you use isolated secondary vlan ports what is the advantage of using also DAI ?

Said this you are probably hitting a bug.

I see in C3750 config guide that declares support of DAI on private vlan ports.

Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and >> private VLAN ports.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/swdynarp.html

An IOS upgrade to last release could help.

Hope to help

Giuseppe

0 Helpful

cisco_lad2004
Level 5
Level 5
In response to Giuseppe Larosa

‎04-29-2009 04:24 AM

Thanks Giuseppe !

I am using PVLAN to ensure my isolated hosts do not cross talk at L2 layer. However DAI and DHCP snooping is to ensure no man in middle communicates with Primary VLAN.

So the 2 functions or requirements are different.

but I agree, I can also smell a bug, just need to be sure there are no restrictions when combining PVLAN with DAI that I have overlooked.

Sam

0 Helpful

cisco_lad2004
Level 5
Level 5
In response to Giuseppe Larosa

‎04-29-2009 04:57 AM

Thanks Giuseppe !

I am using PVLAN to ensure my isolated hosts do not cross talk at L2 layer. However DAI and DHCP snooping is to ensure no man in middle communicates with Primary VLAN.

So the 2 functions or requirements are different.

but I agree, I can also smell a bug, just need to be sure there are no restrictions when combining PVLAN with DAI that I have overlooked.

Sam

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card