DAI with 3750

Answered Question
Mar 26th, 2010
User Badges:
  • Purple, 4500 points or more

All,


I'd like you to check my thinking


We have Dell PowerConnect switches as our edge switches and they all connect to our core 3750. The router (Cisco 3745) also connects to the 3750. It's been asked what would happen if a user that was connected into an edge switch statically configured an address as the router's address. We have nothing in place to prevent that now. What I'm thinking of doing is configuring DAI on the 3750, add a static ARP entry for the 3745 and configure all of the uplinked edge switch ports as untrusted. If that would work, do I need to trust the port that connects to the router? Also, I'm a little unclear on arp acls. Does that only allow that mac address with that ip address on that port?


Thanks,

John

Correct Answer by Edison Ortiz about 7 years 1 month ago

Hi John,


Yes, that syntax is fine.


Regards


Edison


______


Each time you rate a CSC   discussion we'll donate $1 to the American Red Cross Haiti fund up to a   maximum donation of $10,000 USD.

https://supportforums.cisco.com/docs/DOC-8895

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Edison Ortiz Fri, 03/26/2010 - 10:23
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Hi John,


If the Dell switches are running L2 only, they won't have any ARP entry for directly connected devices hence your solution as setting them as untrusted seems doable to me. Can you confirm that only the 3750 is doing IP-to-MAC mapping?



Regards


Edison

John Blakley Fri, 03/26/2010 - 12:03
User Badges:
  • Purple, 4500 points or more

Hey Edison,


"Can you confirm that only the 3750 is doing IP-to-MAC mapping?"



I'm not sure I understand what you mean....is there a certain command other than "sh arp?"


Thanks,

John

Edison Ortiz Fri, 03/26/2010 - 13:48
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

show ip arp

John Blakley Fri, 03/26/2010 - 14:13
User Badges:
  • Purple, 4500 points or more

Edison,


That's the same thing as show arp and yes, I have mappings on the 3750.


Thanks,

John

Edison Ortiz Fri, 03/26/2010 - 14:21
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Then, you should be fine with the unstrusted design from Dell switches..


Regards


Edison



Each time you rate a CSC  discussion we'll donate $1 to the American Red Cross Haiti fund up to a  maximum donation of $10,000 USD.

https://supportforums.cisco.com/docs/DOC-8895

John Blakley Mon, 03/29/2010 - 09:25
User Badges:
  • Purple, 4500 points or more

Edison,


This doesn't seem to be working as I thought it would. The router's ip address is 192.168.16.1. What I've configured so far is the following:


3550:


arp access-list ARP

          permit ip host 192.168.16.1 mac host 000b.fdc8.9ae0 log


ip arp inspection vlan 1

ip arp inspection vlan 1 logging arp-probe

ip arp inspection filter ARP vlan 1


int fa0/5 - connects to router

ip arp inspection trust


int fa0/10 - connects to edge switch and is untrusted



I have a laptop connected to the Dell switch that connects to fa0/10 on the 3550. I've tried to configure a static address on the laptop, and the switch is reporting:


%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/10, vlan 1.([000d.56de.ae1e/192.168.16.15/0014.a8e0.8d00/192.168.16.5/01:04......


The 192.168.16.5 is the ip address of the vlan 1 svi on the switch. What I want to do is prevent a user from setting a static address on a device that conflicts with any major hardware like the L3 switch, router, ASA, etc. Is this doable? Maybe my config is off. If I trust the port that the edge switch connects to, the address takes effect, but I can then set my address to the same as my router and I don't see dropped packets from "sh ip arp inspect stat."


Any ideas?


Thanks!

John Blakley Mon, 03/29/2010 - 09:35
User Badges:
  • Purple, 4500 points or more

I may have gotten closer. I changed my acl to look like this:


arp access-list ARP

          permit ip host 192.168.16.1 mac  host 000b.fdc8.9ae0 log

          deny ip host 192.168.16.1 mac any

          permit ip any mac any



Does that look right?? It's at least logging when I change the address on the laptop now to the address of the router, and when I try to ping the address of the switch that the edge and my laptop are connected to, I get a failure log on the 3550. Looks like it's working now, but I want you to check my thinking


Thanks!

Correct Answer
Edison Ortiz Mon, 03/29/2010 - 09:53
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Hi John,


Yes, that syntax is fine.


Regards


Edison


______


Each time you rate a CSC   discussion we'll donate $1 to the American Red Cross Haiti fund up to a   maximum donation of $10,000 USD.

https://supportforums.cisco.com/docs/DOC-8895

John Blakley Mon, 03/29/2010 - 09:56
User Badges:
  • Purple, 4500 points or more

Cool, so that ties the ip address to the router and will disallow anything else sourced from a different mac with the same address....I like it

Actions

This Discussion