I've had DHCP snooping running for a few days now a a remote site and can see the dhcp snooping database is populated. I have turned on DAI for their vlan and added a filter list for static IPs for things like printers. However I'm getting a few:
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res)
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req)
From a couple of IP's, I'm trying to find out what these devices are, but in your experience as they are not in the snooping binding database would you think they are statically assigned? If so it is weird as they have an IP address that is part of the DHCP scope.
Is your DHCP scope exhausted so that addresses are being re-used very quickly? Really short lease time?
Maybe MAC1 is bound to address IP1 but MAC1 has released it and MAC2 has now gotten it?
Or, someone statically defined those addresses and didn't realize it was from the DHCP pool? I've used DAI and DHCP snooping quite a bit and only have problems when static IP addresses were assigned or when VLAN assignments were done incorrectly.
yeah we seem to have a class c scope with more than enough available and a day lease too.
How long do you normaly leave the DHCP snooping binding database before enabling the DAI for the VLAN?
I've been doing them simultaneously during switch refreshes. We've deployed ~200 switches without much issue.
Have you verified that the errors are coming from machines that are definitely DHCP?
I've been trying to find out without asking just in case it is a non corp PC, how do you approach that one?
Also if an invlaid arp is detected should it block the port from sending or just alert?
We typically don't allow non-corp machines on the network. I would just ask to check. Or your DHCP server should have a MAC address associated with each lease. You can check that association to see that it matches what's seen on the switch.
If an invalid arp is seen, the switch drops it by default. I've just left that alone. I don't remember if you can set it to only alert.
In places that we use DAI, all interfaces are shut that are not in use. They cannot be enabled without an approved request. We also use port security to limit MAC addresses to 1 in most places, depends on if there is a phone or not.
There is also re-enforced policy that people cannot bring their own devices nor can they allow vendors to connect their devices. Visitor/Guest networks are provided for BYOD and vendors, for which access is easily requested and granted. Wireless guest network is secured by having anchor controllers in a specific DMZ so that the traffic is tunneled through our network.
In another division, we use Cisco NAC for access control. I'm not a big fan of product this but it does keep people out. Lots of ongoing upkeep and operational cycles. I think NAC products in general are inherently difficult to implement and manage.
Hi, we use DAI and snooping, I did shutdown unused ports and put them into an unused VLAN, but the 1st-2nd line guys were always asking me to open a port up as someone was moving around and we have many remote offices too, so it became an amdin headache. I lock the ports down to 1 mac also, we are introducing VOIP soon and these will be soft phones (usb head sets) and desk phones, we I just need to increase the mac to 2?
We don't use the soft phones and I don't remember what you need to set for those. It may only be 2.
For the desk phones, you need to set it to 3; One for the PC, one for the phone and a 3rd for the internal switch on the phone. When you check the interface, the MAC address of the phone will show up on 2 different vlans.