Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

IP Source Guard Clarification

All,

After testing IPSG, I noticed that an arp response is received on a port with SG enabled. Being that arp is (debatedly) L2, I can ping the workstation that doesn't have a binding in the dhcp database or static source bindings and I get a single response back. The others are lost which is what I expect. Is this normal being that SG is for IP? I'm trying to keep rogue, statically assigned addresses from answering arp requests and causing an outage for hosts. DAI is going to be a pain to keep up with, so I've decided against that.

*** Edit ***

I was able to get the initial arp response to stop by implementing dai. Is there a way to keep the initial arp response from happening without dai though?

Thanks!

John

HTH, John *** Please rate all useful posts ***
1 ACCEPTED SOLUTION

Accepted Solutions

Re: IP Source Guard Clarification

Hello John

My understanding is that IPSG ip & mac address filtering can only be actived by switchport security also enabled?

Otherwise static DAI without validating with the DHCP snooping DB is another scenario?

arp access-list DAI

permit ip host 10.1.1.1 mac host 0000.1111.1111


ip arp inspection filter DAI vlan 10 static

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please don't forget to rate any posts that have been helpful. Thanks.
8 REPLIES

IP Source Guard Clarification

Hello

IPSG can be applied either ip filtering or ip & mac filtering

(Ip filtering which references the dhcp snooping DB and only checks the ip address and not the MAC address which is binded to the IP)

r1

int fa0/0

mac address 0000.1111.1111

ip address.10.1.1.1 255.255.255.0

sw1

ip dhcp snooping

ip dhcp snooping vlan 10

ip source binding 0000.1111.111 vlan 10 10.1.1.1 int fa0/1

int fa0/1

ip verify source

sh ip source binding

(Ip & mac filtering references the dhcp snooping DB and checks the ip address and the MAC address which is binded to the IP and allows L2/L3 filtering on an L2 interface)

sw1

ip dhcp snooping

ip dhcp snooping vlan 10

ip source binding 0000.1111.111 vlan 10 10.1.1.1 int fa0/1

int fa0/1

ip verify source port-security

switchport port-security

sh ip source binding

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please don't forget to rate any posts that have been helpful. Thanks.

IP Source Guard Clarification

Paul,

Yeah, this works, but due to the dynamic nature of this one location, I can't enable port security. (I should've mentioned that in the original post.)

Thanks!

John

HTH, John *** Please rate all useful posts ***

Re: IP Source Guard Clarification

Hello John

My understanding is that IPSG ip & mac address filtering can only be actived by switchport security also enabled?

Otherwise static DAI without validating with the DHCP snooping DB is another scenario?

arp access-list DAI

permit ip host 10.1.1.1 mac host 0000.1111.1111


ip arp inspection filter DAI vlan 10 static

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please don't forget to rate any posts that have been helpful. Thanks.

Re: IP Source Guard Clarification

Paul,

That's true. Mac address checks only happen if port security is also enabled. The problem that I'm going to run into with dai is that a user could be docked at their desk, then take their computer to another conference room which could be on a different switch. Then they could leave that room and go out into the warehouse and connect there which could be on another switch. I thought about trusting all of the ports that led to conference rooms, but that kind of negates the purpose of having arp inspection enabled to begin with.

I'm rereading your post ...doesn't the static option tell dai to only use the arp acl instead of the dhcp database? If that means that it will only inspect that single host and nothing else, that may be the fix I'm not in the office today, so I won't be able to lab this up until tomorrow.

Thanks,

John

HTH, John *** Please rate all useful posts ***

IP Source Guard Clarification

Hello John

Yes that's my understanding - even with DHCP snooping enabled - DAI will check for static entries prior going to the DHCP DB

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please don't forget to rate any posts that have been helpful. Thanks.

IP Source Guard Clarification

Cool..I'll post with the results tomorrow.

Thanks!

John

HTH, John *** Please rate all useful posts ***

IP Source Guard Clarification

Paul,

I labbed a couple of other scenarios up. It looks like DAI by itself will work. The static arp acl will break our design though just because it doesn't fall over to the snooping db. I tested the "ideal scenario" by creating a dhcp scope on a 3750 and uplinking another 3750 to it. Then I put my host on the 2nd 3750 and pulled an address. I then moved the host to the first 3750, which didn't have a binding table yet, and I was still able to pass traffic, so it looks like it won't be as bad as once thought. I'm still going to play around with a couple of other ideas, but so far this is what I have.

Thanks!

John

HTH, John *** Please rate all useful posts ***

Re: IP Source Guard Clarification

Hello John

Nice to hear!

All the best

Res
Paul

Sent from Cisco Technical Support iPad App

Please don't forget to rate any posts that have been helpful. Thanks.
217
Views
5
Helpful
8
Replies