Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

DAI for PVLANs

Dear all,

DAI combined with DHCP snooping binding table secures against man in the middle by blocking ARP requests not in binding table.

I am using DAI in combination with PVLANs, however arp entries do not flush even after the configured arp time out expires. This means, DAI no longer works for me as when DHCP binding table is flushed for a given MAC address, the ARP entry mapping still exist...so I can still communicate with host on other end of PVLAN.

When I clear the arp entry manually, DAI seems to function by disallowing a new MAC-IP mapping.

1-Sticky arp has been disabled globally.

2-port is definitely not trusted for either ARP or DHCP.

Any thoughts ?

TIA

Sam

3 REPLIES
Hall of Fame Super Silver

Re: DAI for PVLANs

Hello Sam,

DAI and DHCP snooping are usually proposed as alternative to private vlans.

if you use isolated secondary vlan ports what is the advantage of using also DAI ?

Said this you are probably hitting a bug.

I see in C3750 config guide that declares support of DAI on private vlan ports.

Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and >> private VLAN ports.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/swdynarp.html

An IOS upgrade to last release could help.

Hope to help

Giuseppe

Re: DAI for PVLANs

Thanks Giuseppe !

I am using PVLAN to ensure my isolated hosts do not cross talk at L2 layer. However DAI and DHCP snooping is to ensure no man in middle communicates with Primary VLAN.

So the 2 functions or requirements are different.

but I agree, I can also smell a bug, just need to be sure there are no restrictions when combining PVLAN with DAI that I have overlooked.

Sam

Re: DAI for PVLANs

Thanks Giuseppe !

I am using PVLAN to ensure my isolated hosts do not cross talk at L2 layer. However DAI and DHCP snooping is to ensure no man in middle communicates with Primary VLAN.

So the 2 functions or requirements are different.

but I agree, I can also smell a bug, just need to be sure there are no restrictions when combining PVLAN with DAI that I have overlooked.

Sam

169
Views
0
Helpful
3
Replies
CreatePlease to create content