DAI (Dynamic ARP Inspection)

Hi Boris

Yes, you are correct, thanks for catching that! I’ll let @ReneMolenaar know.

Laz

Thank you @bvesel. Just fixed this!

Rene

There is nothing about ip source guard?

Hello Mauricio

IP Source Guard is a different feature to that of DAI. You can find out information about IPSG at the following lesson:

I hope this has been helpful!

Laz

Hi,

I’ve an issue on my home network with DAI configuration.

I’ve configured dhcp snooping with DAI features on all vlans.

In vlan 20 there is an AP that work with dhcp relay for the dhcp server.

At the first time, I can see the mac address of my notebook (xxxx.yyyy.zzzz) on the dhcp snooping bindings but after a while the port go on err-disabled for “arp-inspection” reason.

Log Buffer (4096 bytes):


ar 17 16:40:14.372: %SW_DAI-4-INVALID_ARP: 2 Invalid ARPs (Req) on Gi0/5, vlan 20.([xxxx.yyyy.zzzz/0.0.0.0/0000.0000.0000/169.254.7.64/17:40:13 CET Tue Mar 17 2020])
Mar 17 16:40:15.374: %SW_DAI-4-INVALID_ARP: 2 Invalid ARPs (Req) on Gi0/5, vlan 20.([xxxx.yyyy.zzzz/0.0.0.0/0000.0000.0000/169.254.7.64/17:40:14 CET Tue Mar 17 2020])
Mar 17 16:40:16.375: %SW_DAI-4-INVALID_ARP: 2 Invalid ARPs (Req) on Gi0/5, vlan 20.([xxxx.yyyy.zzzz/0.0.0.0/0000.0000.0000/169.254.7.64/17:40:15 CET Tue Mar 17 2020])
Mar 17 16:40:17.376: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi0/5, vlan 20.([xxxx.yyyy.zzzz/169.254.7.64/0000.0000.0000/169.254.7.64/17:40:16 CET Tue Mar 17 2020])
Mar 17 20:19:21.303: %SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 152 milliseconds on Gi0/5.
Mar 17 20:19:21.303: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi0/5, putting Gi0/5 in err-disable state
Mar 17 20:19:22.315: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/5, changed state to down
Mar 17 20:19:23.316: %LINK-3-UPDOWN: Interface GigabitEthernet0/5, changed state to down

( i dont know what is 169.254.7.64 :S ), but I think that the issue happen when the entry on the dhcp snooping bindings expire and the wifi card try to obtain the same address from the dhcp server

SW1#show ip dhcp snooping binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
SOME:MAC:ADDRES:SS   192.168.20.20    57456       dhcp-snooping   20    GigabitEthernet0/5
SOME:MAC:ADDRES:SS   192.168.99.54    7075        dhcp-snooping   99    GigabitEthernet0/4
SOME:MAC:ADDRES:SS   192.168.20.56    6971        dhcp-snooping   20    GigabitEthernet0/5
SOME:MAC:ADDRES:SS   192.168.10.52    4614        dhcp-snooping   10    GigabitEthernet0/8
SOME:MAC:ADDRES:SS   192.168.20.54    5329        dhcp-snooping   20    GigabitEthernet0/5
SOME:MAC:ADDRES:SS   192.168.20.51    4309        dhcp-snooping   20    GigabitEthernet0/5
SOME:MAC:ADDRES:SS   192.168.20.53    6176        dhcp-snooping   20    GigabitEthernet0/5
SOME:MAC:ADDRES:SS   192.168.30.10    3631        dhcp-snooping   30    GigabitEthernet0/6
Total number of bindings: 8

SW1#

SW1#show interfaces status err-disabled 

Port      Name               Status       Reason               Err-disabled Vlans
Gi0/5     20_WLAN_AP         err-disabled arp-inspection
SW1#

SW1#show ip arp inspection vlan 20

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Enabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
   20     Disabled         Inactive    DAIVALIDATE_HOST   No 

 Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
   20     Deny             Deny              Off          


SW1#
    ip arp inspection vlan 10,20,30,99
    ip arp inspection validate ip 
    !         
    !         
    ip dhcp snooping vlan 10,20,30,99
    no ip dhcp snooping information option
    ip dhcp snooping

Can you help me to understand what cause the err-disabled state?Preformatted text

Hello Giovanni

It looks like the notebook is trying to obtain an IP address via DHCP, but it is unable to. The 169.254.7.64 address is a link local address that is given to a device that is configured to use DHCP, but cannot find a DHCP server. Microsoft uses this method for link local IPv4 address allocation. They call it Automatic Private IP Addressing (APIPA), and you can find out more about it here.

Having said that, it seems that the notebook is sending many DHCP requests. Based on the syslogs, it is this error that is causing the arp inspection error:

%SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 152 milliseconds on Gi0/5.

I believe that there is some problem with the DHCP configuration, the notebook is unable to reach the DHCP server, and is given a link local address. This address is then used for the ARP requests to reach the DHCP server, which in turn exceed the packet rate.

I suggest you do the following to troubleshoot the issue:

  1. examine that your DHCP and DHCP relay configurations are correct
  2. try to increase the packet rate limiting on the interface, as it may be too low. Use this command reference to help.
  3. You may also need to add the following command in the device configured as a DHCP relay: ip dhcp relay information trust-all. More information on this here.

I also suggest you try to make the topology work without using snooping to see if it is your DHCP configuration alone that is causing the problem, or the introduction of the snooping feature.

I hope this helps you in your troubleshooting procedure… Let us know how it goes.

I hope this has been helpful!

Laz

2 Likes

Hi Laz ,
Hope you are doing well , i have a query why the switch interface required to configured on vlan 123 as all interface of switch placed in default vlan 1 .What was the reason behind this ?

SW1(config)#interface range fa0/1 - 3
SW1(config-if-range)#switchport mode access
SW1(config-if-range)#**switchport access vlan 123**
SW1(config-if-range)#spanning-tree portfast

Regards
Chaudhary Shivam Chahal

Hello Shivam

All three interfaces simply have to be in the same VLAN. Yes, they could have been in the default VLAN 1, but Rene chose to use 123. It doesn’t make a difference, but it just stresses the necessity of having all the ports in the same VLAN.

Having said that, in any network, it’s always best practice to avoid using VLAN 1 for your networks.

I hope this has been helpful!

Laz

Hi Team,

I did not understand the arp validate points made with dst-src mac and ip. can you explain this with an example.

Hello Justin

For the DAI options described in the following command:

SW1(config)#ip arp inspection validate ?
  dst-mac  Validate destination MAC address
  ip       Validate IP addresses
  src-mac  Validate source MAC address

The dst-mac option compares the target MAC address field within the ARP payload, with the destination MAC address of the ARP packet itself. These two values should be the same. The target MAC address field, more appropriately known as the Target Hardware Address (THA) field, contains the MAC address of the host that originated the ARP request. This should be the same MAC address as the destination of the ARP reply. A reply should always be sent to the device that originated the request. If this is not the case, then the ARP reply was originally requested by another host, potentially a malicious one.

The ip option is used to determine if the Sender Protocol Address (SPA) field in the ARP payload contains any unusual IP addresses such as 0.0.0.0, or a multicast address. The SPA field contains the IP address of the originator of the ARP request. If this address is unrecognized, then it is likely that the ARP reply is sent from a malicious host, so such ARP packets are dropped. This check is applied to both requests and replies.

I hope this has been helpful!

Laz

Hi Laz,

1)I am confused about when should I use arp access-list option and when DAI
with trusted int option?, can we use both simultaneously?

  1. As per my understanding of this topic, if we configure DAI in that case DCHP
    snooping must have already configured.

  2. Do we have to use trust command on interface for both cases or for any one of the case will be sufficient?

  3. Do we need to configure these sec technology on all the switches on our n/w?

Hello Pradyumna

DAI is a feature that protects the function of ARP. As stated in the lesson, DAI uses both the DHCP snooping database AND ARP access lists to operate. The DHCP snooping table is used to protect ARP messages destined for the IP Address/MAC address combinations within the table. An ARP access list should be used for any IP address/MAC address combinations that are statically assigned, and not defined within the snooping table, such as the IP of a default gateway, as in the example in the lesson.

Yes, DHCP snooping must be enabled for DAI to function. Actually, you can enable it without DHCP snooping and use only ARP access lists, but this is not a very common implementation.

For both cases? You mean for both ARP access lists and DHCP snooping database? The trust command is used for DAI regardless of if you use the snooping database, ARP access lists, or both.

You must enable and configure these features on all the switches that you wish to participate in DAI.

I hope this has been helpful!

Laz

Thanks laz , now doubts are clear

1 Like

Hi Lazaros,

In the DAI lesson it states that the DHCP has no way to replay back.
“Why is the switch dropping the ARP reply? The problem is that the DHCP router is using a static IP addresses. DAI checks the DHCP snooping database for all packets that arrive on untrusted interfaces, when it doesn’t find a match…the ARP packet is dropped. To fix this, we need to create a static entry for our DHCP router” Is this because the DHCP snooping database would only have dynamically assigned addresses and not the static address of the dhcp? And also when the lesson says not to use the static command I dont understand why it is bad to only check the arp list? Would this then negate the checking of all the dynamically assigned addresses? and lastly,
in the picture attached for example configuration there is no commands for the below which I thought must be added

SW1(config)#arp access-list DHCP_ROUTER
SW1(config-arp-nacl)#permit ip host 192.168.1.254 mac host 0016.c7be.0ec8
SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123

Hello Daniel

Yes, the DHCP snooping database will only have addresses that are either assigned by DHCP or are statically configured in the DHCP database. If you statically assign a host on the network an IP address, the DHCP snooping database has no way of knowing that that address has been assigned. The only way to do it is to statically configure it in the DHCP router.

Yes, that is correct. It will only check the statically configured ARP ACL and NOT the dynamically created and updated DHCP snooping database.

Yes, the last ip arp inspection filter command does not seem to be included in the configuration of SW1 at the end. I will let Rene know to add that…

I hope this has been helpful!

Laz

Hi Lazaros,

Thanks again! I did have a follow up question here it does look like in the configuration example below that Rene has shown both options:

SW1(config)#arp access-list DHCP_ROUTER
SW1(config-arp-nacl)#permit ip host 192.168.1.254 mac host 0016.c7be.0ec8
SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123

int  fa0/3
ip arp inspection trust

But you can use one or the other correct. You dont have to use both? If that is the case why go through the hassle of extra command and just use ip arp inspection trust?

interface FastEthernet0/3
 switchport access vlan 123
 switchport mode access
 ip arp inspection trust
 spanning-tree portfast
 ip dhcp snooping trust       
!
arp access-list DHCP_ROUTER
 permit ip host 192.168.1.254 mac host 0016.c7be.0ec8 
!end

Hello Daniel

Yes, you are correct that you can use one or the other to solve the specific problem. However, you must understand that they actually do two different things. The arp access-list command tells the switch to check the access list for acceptable MAC/IP addresses that will allow ARP messages and will allow those coming from the DHCP server. The other option doesn’t check any ARP messages against anything and simply allows all ARP messages on this interface, which is the interface where the DHCP server is connected.

I hope this has been helpful!

Laz

1 Like

Hi Lazaros,

In that case would putting the command arp inspection trust command be enough security since all untrusted other interfaces would still be checked right? What is the use case for using the arp access-list over the trust command in that scenario. Also, could you give an example of the use cases for the three different validation options
dst-mac
ip
scr-mac
I read another answer about it but I still was unclear
Thanks!

Hello Daniel

Whether or not something is “enough security” is a topic for debate, it all depends on the expected threats, and the level of security you want to achieve. Using the arp insepction trust command on an interface would be used if you know that all ARP packets expected to be received on this port can be trusted, because you’ve taken care to ensure that the subnet on that interface is secure. So you will never expect any attacks to occur there. The rest of the ports of course are untrusted, and you are “safe” from any attempts at attack that may arrive on those ports.

If you have several hosts connected to the subnet on a particular interface, and some of those hosts are statically assigned their IP addresses, while the others are dynamically assigned, you can place the statically assigned IP addresses in an ARP access list. This way, the switch will check the ARP access-list first and when it doesn’t find a match, it will check the DHCP snooping database. Statically assigned hosts’ ARP requests will be matched by the access list, and dynamically assigned hosts’ ARP requests will be matched using the DHCP snooping database.

Each of the choices performs a different check. This is further described in this CIsco documentation:

I hope this has been helpful!

Laz

1 Like

Hi,

I think there’s a typo:

If the information in the ARP packet doesn’t matter, it will be dropped.

Shouldn’t it be match not matter

Sam