01-28-2014 12:50 PM - edited 03-07-2019 05:51 PM
All,
After testing IPSG, I noticed that an arp response is received on a port with SG enabled. Being that arp is (debatedly) L2, I can ping the workstation that doesn't have a binding in the dhcp database or static source bindings and I get a single response back. The others are lost which is what I expect. Is this normal being that SG is for IP? I'm trying to keep rogue, statically assigned addresses from answering arp requests and causing an outage for hosts. DAI is going to be a pain to keep up with, so I've decided against that.
*** Edit ***
I was able to get the initial arp response to stop by implementing dai. Is there a way to keep the initial arp response from happening without dai though?
Thanks!
John
Solved! Go to Solution.
01-29-2014 06:10 AM
Hello John
My understanding is that IPSG ip & mac address filtering can only be actived by switchport security also enabled?
Otherwise static DAI without validating with the DHCP snooping DB is another scenario?
arp access-list DAI
permit ip host 10.1.1.1 mac host 0000.1111.1111
ip arp inspection filter DAI vlan 10 static
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
01-28-2014 01:44 PM
Hello
IPSG can be applied either ip filtering or ip & mac filtering
(Ip filtering which references the dhcp snooping DB and only checks the ip address and not the MAC address which is binded to the IP)
r1
int fa0/0
mac address 0000.1111.1111
ip address.10.1.1.1 255.255.255.0
sw1
ip dhcp snooping
ip dhcp snooping vlan 10
ip source binding 0000.1111.111 vlan 10 10.1.1.1 int fa0/1
int fa0/1
ip verify source
sh ip source binding
(Ip & mac filtering references the dhcp snooping DB and checks the ip address and the MAC address which is binded to the IP and allows L2/L3 filtering on an L2 interface)
sw1
ip dhcp snooping
ip dhcp snooping vlan 10
ip source binding 0000.1111.111 vlan 10 10.1.1.1 int fa0/1
int fa0/1
ip verify source port-security
switchport port-security
sh ip source binding
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
01-28-2014 02:49 PM
Paul,
Yeah, this works, but due to the dynamic nature of this one location, I can't enable port security. (I should've mentioned that in the original post.)
Thanks!
John
01-29-2014 06:10 AM
Hello John
My understanding is that IPSG ip & mac address filtering can only be actived by switchport security also enabled?
Otherwise static DAI without validating with the DHCP snooping DB is another scenario?
arp access-list DAI
permit ip host 10.1.1.1 mac host 0000.1111.1111
ip arp inspection filter DAI vlan 10 static
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
01-29-2014 07:00 AM
Paul,
That's true. Mac address checks only happen if port security is also enabled. The problem that I'm going to run into with dai is that a user could be docked at their desk, then take their computer to another conference room which could be on a different switch. Then they could leave that room and go out into the warehouse and connect there which could be on another switch. I thought about trusting all of the ports that led to conference rooms, but that kind of negates the purpose of having arp inspection enabled to begin with.
I'm rereading your post ...doesn't the static option tell dai to only use the arp acl instead of the dhcp database? If that means that it will only inspect that single host and nothing else, that may be the fix I'm not in the office today, so I won't be able to lab this up until tomorrow.
Thanks,
John
01-29-2014 07:11 AM
Hello John
Yes that's my understanding - even with DHCP snooping enabled - DAI will check for static entries prior going to the DHCP DB
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
01-29-2014 07:18 AM
Cool..I'll post with the results tomorrow.
Thanks!
John
01-30-2014 11:41 AM
Paul,
I labbed a couple of other scenarios up. It looks like DAI by itself will work. The static arp acl will break our design though just because it doesn't fall over to the snooping db. I tested the "ideal scenario" by creating a dhcp scope on a 3750 and uplinking another 3750 to it. Then I put my host on the 2nd 3750 and pulled an address. I then moved the host to the first 3750, which didn't have a binding table yet, and I was still able to pass traffic, so it looks like it won't be as bad as once thought. I'm still going to play around with a couple of other ideas, but so far this is what I have.
Thanks!
John
01-30-2014 12:02 PM
Hello John
Nice to hear!
All the best
Res
Paul
Sent from Cisco Technical Support iPad App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: