Hi Thepaan01,

Thanks for your precise explaination.

I made an experiment earlier with arp inspection on + pc with static ip.  The PC cannot send traffic as it did not have a binding in the dhcp binding database.

Then i added a static binding for the PC using

ip source binding

and the traffic went through. 

q1) Does DAI check ip source binding table or  dhcp snooping binding table ?  Is there any difference between the 2 ?

q2) If adding static entry into ip source binding table works for DAI, why would be the benefit to use an ACL instead ?

=======================

For IP source guard with "port-security" ,  i read that option82 needs to be turn on. Why is that so ? I read but i could not understand the port whereby the switch need to get back to the Host.

q3) Would't the switch already have the Host Mac address when the Host 1st make its DHCP request ?

Really look forward to see your advice.

Thank you!

SJ,

The trusted database built from DHCP snooping is the same entity used by both DAI and IP Source Guard.

As you demonstrated in your scenario, 'ip source binding [MAC] vlan [VLAN] [IP] int [interface]' creates a static binding in the trusted database. The database can be used by either DAI or Source Guard.

  -  Source Guard dynamically creates a PACL from the trusted database and applies it to the interface. You can manually crate a PACL and apply it to the interface instead.

  -  DAI permits or blocks ARP traffic internally on the switch because ARP traffic cannot be blocked by a PACL. Using an ARP ACL in this case is just an alternative to a static trusted database entry. One reason I can think of why it may be better to use an ARP ACL is compartmentalization. By separating static and dynamic entries, you reduce the chances that changes to one will impact the other.

When Source Guard is enabled, the switch does not learn the MAC address of the connected device until a DHCP address is assigned. DHCP option 82 is used by the switch to store port information so that it knows where to send the DHCP offer and acknowledgement.

Hi thepaan01,

Glad to see your around and thank you for your reply.

When Source Guard is enabled, the switch does not learn the MAC address of the connected device until a DHCP address is assigned. DHCP option 82 is used by the switch to store port information so that it knows where to send the DHCP offer and acknowledgement

Can i check if just "port-security with dynamic learning" alone  is turn on,  is the Host's mac address inserted into the CAM table upon the 1st DHCP request ?

Why does the behaviour change (need to wait until a DHCP lease is accquire) when IP source guard + port security is turn on ?  Would there be any difference ?

Regards,

Noob

SJ,

We're getting quite deep into the nitty-gritty here. :)
With IP Source Guard enabled, all IP traffic is initially blocked except for DHCP traffic. The mechanism by which this blocking occurs is by changing the behavior of MAC learning. If the switch were to learn the MAC address before a DHCP address was assigned (or a static binding was entered in the trusted database), then an attacker could simply statically assign their rogue host an IP and begin communicating on the local segment. The blocking is removed when the PACL is dynamically created and applied to the interface - when the trusted database is updated with either a static binding or one learned via DHCP snooping.

If you want to check it, I think the following procedure would work.
First, enable logging and create an access list to match DHCP packets.

Swx1#conf t
Swx1(config)#service timestamps debug
Swx1(config)#service timestamps log
Swx1(config)#logging mon 7
Swx1(config)#logging con 7
Swx1(config)#ip access-list standard 100
Swx1(config-std-nacl)#10 permit ip host 0.0.0.0 host 255.255.255.255
Swx1(config-std-nacl)#end
Swx1#wr

Then, request the monitor and enable relevant debugging.

Swx1#term mon
Swx1#debug ip packet detail 100
Swx1#debug matm add

Finally, connect your host and observe the messages.