Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1056
Views
0
Helpful
9
Replies

DAI with 3750

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎03-26-2010 09:06 AM - edited ‎03-06-2019 10:20 AM

All,

I'd like you to check my thinking

We have Dell PowerConnect switches as our edge switches and they all connect to our core 3750. The router (Cisco 3745) also connects to the 3750. It's been asked what would happen if a user that was connected into an edge switch statically configured an address as the router's address. We have nothing in place to prevent that now. What I'm thinking of doing is configuring DAI on the 3750, add a static ARP entry for the 3745 and configure all of the uplinked edge switch ports as untrusted. If that would work, do I need to trust the port that connects to the router? Also, I'm a little unclear on arp acls. Does that only allow that mac address with that ip address on that port?

Thanks,

John

HTH, John *** Please rate all useful posts ***
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to John Blakley

‎03-29-2010 09:53 AM

Hi John,

Yes, that syntax is fine.

Regards

Edison

______

Each time you rate a CSC   discussion we'll donate $1 to the American Red Cross Haiti fund up to a   maximum donation of $10,000 USD.

https://supportforums.cisco.com/docs/DOC-8895

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎03-26-2010 10:23 AM

Hi John,

If the Dell switches are running L2 only, they won't have any ARP entry for directly connected devices hence your solution as setting them as untrusted seems doable to me. Can you confirm that only the 3750 is doing IP-to-MAC mapping?


Regards

Edison

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Edison Ortiz

‎03-26-2010 12:03 PM

Hey Edison,

"Can you confirm that only the 3750 is doing IP-to-MAC mapping?"


I'm not sure I understand what you mean....is there a certain command other than "sh arp?"

Thanks,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to John Blakley

‎03-26-2010 01:48 PM

show ip arp

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Edison Ortiz

‎03-26-2010 02:13 PM

Edison,

That's the same thing as show arp and yes, I have mappings on the 3750.

Thanks,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to John Blakley

‎03-26-2010 02:21 PM

Then, you should be fine with the unstrusted design from Dell switches..

Regards

Edison

Each time you rate a CSC  discussion we'll donate $1 to the American Red Cross Haiti fund up to a  maximum donation of $10,000 USD.

https://supportforums.cisco.com/docs/DOC-8895

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Edison Ortiz

‎03-29-2010 09:25 AM

Edison,

This doesn't seem to be working as I thought it would. The router's ip address is 192.168.16.1. What I've configured so far is the following:

3550:

arp access-list ARP

          permit ip host 192.168.16.1 mac host 000b.fdc8.9ae0 log

ip arp inspection vlan 1

ip arp inspection vlan 1 logging arp-probe

ip arp inspection filter ARP vlan 1

int fa0/5 - connects to router

ip arp inspection trust

int fa0/10 - connects to edge switch and is untrusted

I have a laptop connected to the Dell switch that connects to fa0/10 on the 3550. I've tried to configure a static address on the laptop, and the switch is reporting:

%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/10, vlan 1.([000d.56de.ae1e/192.168.16.15/0014.a8e0.8d00/192.168.16.5/01:04......

The 192.168.16.5 is the ip address of the vlan 1 svi on the switch. What I want to do is prevent a user from setting a static address on a device that conflicts with any major hardware like the L3 switch, router, ASA, etc. Is this doable? Maybe my config is off. If I trust the port that the edge switch connects to, the address takes effect, but I can then set my address to the same as my router and I don't see dropped packets from "sh ip arp inspect stat."

Any ideas?

Thanks!

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to John Blakley

‎03-29-2010 09:35 AM

I may have gotten closer. I changed my acl to look like this:

arp access-list ARP

          permit ip host 192.168.16.1 mac  host 000b.fdc8.9ae0 log

          deny ip host 192.168.16.1 mac any

          permit ip any mac any

Does that look right?? It's at least logging when I change the address on the laptop now to the address of the router, and when I try to ping the address of the switch that the edge and my laptop are connected to, I get a failure log on the 3550. Looks like it's working now, but I want you to check my thinking

Thanks!

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to John Blakley

‎03-29-2010 09:53 AM

Hi John,

Yes, that syntax is fine.

Regards

Edison

______

Each time you rate a CSC   discussion we'll donate $1 to the American Red Cross Haiti fund up to a   maximum donation of $10,000 USD.

https://supportforums.cisco.com/docs/DOC-8895

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Edison Ortiz

‎03-29-2010 09:56 AM

Cool, so that ties the ip address to the router and will disallow anything else sourced from a different mac with the same address....I like it

HTH, John *** Please rate all useful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card