Hi Boris
Yes, you are correct, thanks for catching that! I’ll let @ReneMolenaar know.
Laz
There is nothing about ip source guard?
Hello Mauricio
IP Source Guard is a different feature to that of DAI. You can find out information about IPSG at the following lesson:
I hope this has been helpful!
Laz
Hi,
I’ve an issue on my home network with DAI configuration.
I’ve configured dhcp snooping with DAI features on all vlans.
In vlan 20 there is an AP that work with dhcp relay for the dhcp server.
At the first time, I can see the mac address of my notebook (xxxx.yyyy.zzzz) on the dhcp snooping bindings but after a while the port go on err-disabled for “arp-inspection” reason.
Log Buffer (4096 bytes):
ar 17 16:40:14.372: %SW_DAI-4-INVALID_ARP: 2 Invalid ARPs (Req) on Gi0/5, vlan 20.([xxxx.yyyy.zzzz/0.0.0.0/0000.0000.0000/169.254.7.64/17:40:13 CET Tue Mar 17 2020])
Mar 17 16:40:15.374: %SW_DAI-4-INVALID_ARP: 2 Invalid ARPs (Req) on Gi0/5, vlan 20.([xxxx.yyyy.zzzz/0.0.0.0/0000.0000.0000/169.254.7.64/17:40:14 CET Tue Mar 17 2020])
Mar 17 16:40:16.375: %SW_DAI-4-INVALID_ARP: 2 Invalid ARPs (Req) on Gi0/5, vlan 20.([xxxx.yyyy.zzzz/0.0.0.0/0000.0000.0000/169.254.7.64/17:40:15 CET Tue Mar 17 2020])
Mar 17 16:40:17.376: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi0/5, vlan 20.([xxxx.yyyy.zzzz/169.254.7.64/0000.0000.0000/169.254.7.64/17:40:16 CET Tue Mar 17 2020])
Mar 17 20:19:21.303: %SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 152 milliseconds on Gi0/5.
Mar 17 20:19:21.303: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi0/5, putting Gi0/5 in err-disable state
Mar 17 20:19:22.315: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/5, changed state to down
Mar 17 20:19:23.316: %LINK-3-UPDOWN: Interface GigabitEthernet0/5, changed state to down
( i dont know what is 169.254.7.64 :S ), but I think that the issue happen when the entry on the dhcp snooping bindings expire and the wifi card try to obtain the same address from the dhcp server
SW1#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
SOME:MAC:ADDRES:SS 192.168.20.20 57456 dhcp-snooping 20 GigabitEthernet0/5
SOME:MAC:ADDRES:SS 192.168.99.54 7075 dhcp-snooping 99 GigabitEthernet0/4
SOME:MAC:ADDRES:SS 192.168.20.56 6971 dhcp-snooping 20 GigabitEthernet0/5
SOME:MAC:ADDRES:SS 192.168.10.52 4614 dhcp-snooping 10 GigabitEthernet0/8
SOME:MAC:ADDRES:SS 192.168.20.54 5329 dhcp-snooping 20 GigabitEthernet0/5
SOME:MAC:ADDRES:SS 192.168.20.51 4309 dhcp-snooping 20 GigabitEthernet0/5
SOME:MAC:ADDRES:SS 192.168.20.53 6176 dhcp-snooping 20 GigabitEthernet0/5
SOME:MAC:ADDRES:SS 192.168.30.10 3631 dhcp-snooping 30 GigabitEthernet0/6
Total number of bindings: 8
SW1#
SW1#show interfaces status err-disabled
Port Name Status Reason Err-disabled Vlans
Gi0/5 20_WLAN_AP err-disabled arp-inspection
SW1#
SW1#show ip arp inspection vlan 20
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Enabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
20 Disabled Inactive DAIVALIDATE_HOST No
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
20 Deny Deny Off
SW1#
ip arp inspection vlan 10,20,30,99
ip arp inspection validate ip
!
!
ip dhcp snooping vlan 10,20,30,99
no ip dhcp snooping information option
ip dhcp snooping
Can you help me to understand what cause the err-disabled state?Preformatted text
Hello Giovanni
It looks like the notebook is trying to obtain an IP address via DHCP, but it is unable to. The 169.254.7.64 address is a link local address that is given to a device that is configured to use DHCP, but cannot find a DHCP server. Microsoft uses this method for link local IPv4 address allocation. They call it Automatic Private IP Addressing (APIPA), and you can find out more about it here.
Having said that, it seems that the notebook is sending many DHCP requests. Based on the syslogs, it is this error that is causing the arp inspection error:
%SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 152 milliseconds on Gi0/5.
I believe that there is some problem with the DHCP configuration, the notebook is unable to reach the DHCP server, and is given a link local address. This address is then used for the ARP requests to reach the DHCP server, which in turn exceed the packet rate.
I suggest you do the following to troubleshoot the issue:
- examine that your DHCP and DHCP relay configurations are correct
- try to increase the packet rate limiting on the interface, as it may be too low. Use this command reference to help.
- You may also need to add the following command in the device configured as a DHCP relay:
ip dhcp relay information trust-all. More information on this here.
I also suggest you try to make the topology work without using snooping to see if it is your DHCP configuration alone that is causing the problem, or the introduction of the snooping feature.
I hope this helps you in your troubleshooting procedure… Let us know how it goes.
I hope this has been helpful!
Laz
2 Likes
Hi Laz ,
Hope you are doing well , i have a query why the switch interface required to configured on vlan 123 as all interface of switch placed in default vlan 1 .What was the reason behind this ?
SW1(config)#interface range fa0/1 - 3
SW1(config-if-range)#switchport mode access
SW1(config-if-range)#**switchport access vlan 123**
SW1(config-if-range)#spanning-tree portfast
Regards
Chaudhary Shivam Chahal
Hello Shivam
All three interfaces simply have to be in the same VLAN. Yes, they could have been in the default VLAN 1, but Rene chose to use 123. It doesn’t make a difference, but it just stresses the necessity of having all the ports in the same VLAN.
Having said that, in any network, it’s always best practice to avoid using VLAN 1 for your networks.
I hope this has been helpful!
Laz
Hi Team,
I did not understand the arp validate points made with dst-src mac and ip. can you explain this with an example.
Hello Justin
For the DAI options described in the following command:
SW1(config)#ip arp inspection validate ?
dst-mac Validate destination MAC address
ip Validate IP addresses
src-mac Validate source MAC address
The dst-mac option compares the target MAC address field within the ARP payload, with the destination MAC address of the ARP packet itself. These two values should be the same. The target MAC address field, more appropriately known as the Target Hardware Address (THA) field, contains the MAC address of the host that originated the ARP request. This should be the same MAC address as the destination of the ARP reply. A reply should always be sent to the device that originated the request. If this is not the case, then the ARP reply was originally requested by another host, potentially a malicious one.
The ip option is used to determine if the Sender Protocol Address (SPA) field in the ARP payload contains any unusual IP addresses such as 0.0.0.0, or a multicast address. The SPA field contains the IP address of the originator of the ARP request. If this address is unrecognized, then it is likely that the ARP reply is sent from a malicious host, so such ARP packets are dropped. This check is applied to both requests and replies.
I hope this has been helpful!
Laz
Hi Laz,
1)I am confused about when should I use arp access-list option and when DAI
with trusted int option?, can we use both simultaneously?
-
As per my understanding of this topic, if we configure DAI in that case DCHP
snooping must have already configured. -
Do we have to use trust command on interface for both cases or for any one of the case will be sufficient?
-
Do we need to configure these sec technology on all the switches on our n/w?
Hello Pradyumna
DAI is a feature that protects the function of ARP. As stated in the lesson, DAI uses both the DHCP snooping database AND ARP access lists to operate. The DHCP snooping table is used to protect ARP messages destined for the IP Address/MAC address combinations within the table. An ARP access list should be used for any IP address/MAC address combinations that are statically assigned, and not defined within the snooping table, such as the IP of a default gateway, as in the example in the lesson.
Yes, DHCP snooping must be enabled for DAI to function. Actually, you can enable it without DHCP snooping and use only ARP access lists, but this is not a very common implementation.
For both cases? You mean for both ARP access lists and DHCP snooping database? The trust command is used for DAI regardless of if you use the snooping database, ARP access lists, or both.
You must enable and configure these features on all the switches that you wish to participate in DAI.
I hope this has been helpful!
Laz
Thanks laz , now doubts are clear
1 Like
Hi Lazaros,
In the DAI lesson it states that the DHCP has no way to replay back.
“Why is the switch dropping the ARP reply? The problem is that the DHCP router is using a static IP addresses. DAI checks the DHCP snooping database for all packets that arrive on untrusted interfaces, when it doesn’t find a match…the ARP packet is dropped. To fix this, we need to create a static entry for our DHCP router” Is this because the DHCP snooping database would only have dynamically assigned addresses and not the static address of the dhcp? And also when the lesson says not to use the static command I dont understand why it is bad to only check the arp list? Would this then negate the checking of all the dynamically assigned addresses? and lastly,
in the picture attached for example configuration there is no commands for the below which I thought must be added
SW1(config)#arp access-list DHCP_ROUTER
SW1(config-arp-nacl)#permit ip host 192.168.1.254 mac host 0016.c7be.0ec8
SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123Hello Daniel
Yes, the DHCP snooping database will only have addresses that are either assigned by DHCP or are statically configured in the DHCP database. If you statically assign a host on the network an IP address, the DHCP snooping database has no way of knowing that that address has been assigned. The only way to do it is to statically configure it in the DHCP router.
Yes, that is correct. It will only check the statically configured ARP ACL and NOT the dynamically created and updated DHCP snooping database.
Yes, the last ip arp inspection filter command does not seem to be included in the configuration of SW1 at the end. I will let Rene know to add that…
I hope this has been helpful!
Laz
Hi Lazaros,
Thanks again! I did have a follow up question here it does look like in the configuration example below that Rene has shown both options:
SW1(config)#arp access-list DHCP_ROUTER
SW1(config-arp-nacl)#permit ip host 192.168.1.254 mac host 0016.c7be.0ec8
SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123
int fa0/3
ip arp inspection trust
But you can use one or the other correct. You dont have to use both? If that is the case why go through the hassle of extra command and just use ip arp inspection trust?
interface FastEthernet0/3
switchport access vlan 123
switchport mode access
ip arp inspection trust
spanning-tree portfast
ip dhcp snooping trust
!
arp access-list DHCP_ROUTER
permit ip host 192.168.1.254 mac host 0016.c7be.0ec8
!endHello Daniel
Yes, you are correct that you can use one or the other to solve the specific problem. However, you must understand that they actually do two different things. The arp access-list command tells the switch to check the access list for acceptable MAC/IP addresses that will allow ARP messages and will allow those coming from the DHCP server. The other option doesn’t check any ARP messages against anything and simply allows all ARP messages on this interface, which is the interface where the DHCP server is connected.
I hope this has been helpful!
Laz
1 Like
Hi Lazaros,
In that case would putting the command arp inspection trust command be enough security since all untrusted other interfaces would still be checked right? What is the use case for using the arp access-list over the trust command in that scenario. Also, could you give an example of the use cases for the three different validation options
dst-mac
ip
scr-mac
I read another answer about it but I still was unclear
Thanks!
Hello Daniel
Whether or not something is “enough security” is a topic for debate, it all depends on the expected threats, and the level of security you want to achieve. Using the arp insepction trust command on an interface would be used if you know that all ARP packets expected to be received on this port can be trusted, because you’ve taken care to ensure that the subnet on that interface is secure. So you will never expect any attacks to occur there. The rest of the ports of course are untrusted, and you are “safe” from any attempts at attack that may arrive on those ports.
If you have several hosts connected to the subnet on a particular interface, and some of those hosts are statically assigned their IP addresses, while the others are dynamically assigned, you can place the statically assigned IP addresses in an ARP access list. This way, the switch will check the ARP access-list first and when it doesn’t find a match, it will check the DHCP snooping database. Statically assigned hosts’ ARP requests will be matched by the access list, and dynamically assigned hosts’ ARP requests will be matched using the DHCP snooping database.
Each of the choices performs a different check. This is further described in this CIsco documentation:
I hope this has been helpful!
Laz
1 Like
Hi,
I think there’s a typo:
If the information in the ARP packet doesn’t matter, it will be dropped.
Shouldn’t it be match not matter
Sam