Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Dynamic Arp Inspection

Hi all,

We tried to use DAI on a switch. Our IP address is static.

Our problem is that after configuring DAI, no ping responds (ping between PC and switch or between PCs).

We have to put each port as "trust" and then change it to "untrust" before we can ping.

And when port has been blocked by DAI, we have to the same thing so it can ping again.

6 REPLIES

Re: Dynamic Arp Inspection

Hi,

DAI uses the table built by DHCP snooping to accept or deny packets. In your case, since your host have static ip adress, you need to build a filter by yourself. I found this in a config guide:

S1(config)# arp access-list H2

S1(config-arp-nacl)# permit ip host 1.1.1.1 mac host 0001.0001.0001

S1(config)# ip arp inspection filter H2 vlan 1

I've implemented DAI and you need to use DHCPsnooping. Manual ACL are unmanageable after a while. This could help you push a all DHCP hidden agenda.

New Member

Re: Dynamic Arp Inspection

Is there other technologie which functions as DAI but on a network using static IP?

There's too many PCs on the network, it will be difficult for us to create filter for each IP/MAC.

Bronze

Re: Dynamic Arp Inspection

If your boundary between dhcp and static is very clear (ie. 1-240 dhcp, 241-250 static), you can put an DAI ACL on the switches to ignore DAI for ips 241-250.

of course: if the boundary changes, you'll need to adjust the ACL.

However, if your dhcp scopes are not contigious or static ips are random, then it is a real pain in the b**tt to deploy DAI. For me this is one MAJOR disadvantage of DAI and has already led to several cancelled implementions.

A possible way to work around this is to use DHCP with option 82. You can then assign a dhcp address to a switch port. any device connected to that port, will always received the same dhcp ip address (sort of "static" address). this will remove the dai problems with statics....

Geert

New Member

Re: Dynamic Arp Inspection

Hi,

Colud you give more information about assigning dhcp address to a switch port?

How can we do this?

Bronze

Re: Dynamic Arp Inspection

First, your DHCP server needs to support it.

Second, more info here

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gdhcpopt.html

New Member

Re: Dynamic Arp Inspection

Hi,

We have enabled DHCP snooping, there's no more problem when using DAI without the filter.

However, we couldn't configure the option 82, we don't know how to it.

We use the switch as DHCP server, and a show tells option82 is enabled.

When we test its functionnality by connecting 2 differents PC on one port, they got 2 different IP address.

We tried to configure "ip dhcp relay information check", the following error appear :

"Can't configure relay information option processing while DHCP snooping is enabled"

What should be added on the switch?

342
Views
14
Helpful
6
Replies
CreatePlease to create content