topic Re: device-tracking mode guard vs legacy DAI in Network Security

device-tracking mode guard vs legacy DAI

Andrii Oliinyk — Fri, 10 Jan 2025 16:51:12 GMT

reading Feature history of SISF Security Configuration Guide, Cisco IOS XE Dublin 17.12.x (Catalyst 9400 Switches) - Configuring Switch Integrated Security Features [Support] - Cisco i have a feeling that device-tracking mode guard is an alternative to legacy DAI.
Unfortunately official documentation is not quite detailed on topic. Can anyone please shed a light on it?

Re: device-tracking mode guard vs legacy DAI

MHM Cisco World — Mon, 13 Jan 2025 08:00:36 GMT

I dont think it same as DAI but it same as IPSG where it check IP-MAC for data packet not as DAI check only ARP packet

MHM

Re: device-tracking mode guard vs legacy DAI

Torbjørn — Mon, 13 Jan 2025 09:17:17 GMT

Yes, it does fulfil the same role as DAI. See the following portion of the SISF documentation: Example: Detecting and Preventing Spoofing

Re: device-tracking mode guard vs legacy DAI

Andrii Oliinyk — Mon, 13 Jan 2025 09:58:37 GMT

i tend to stay w/ same interpretation. but it seems like we have dispute here...

Re: device-tracking mode guard vs legacy DAI

MHM Cisco World — Mon, 13 Jan 2025 10:10:12 GMT

Both DAI and IPSG match mac to IP' the different is DAI is inspect only ARP packet where IPSG inspect data packet.

MHM

Re: device-tracking mode guard vs legacy DAI

Torbjørn — Mon, 13 Jan 2025 12:11:32 GMT

Do you have anything to add here @jedolphi?
I really liked the BRKENS-3555 presentation and figure you might have something to add to this discussion.

Re: device-tracking mode guard vs legacy DAI

Andrii Oliinyk — Mon, 13 Jan 2025 15:47:50 GMT

thanks for calling @jedolphi
would appreciate hearing from him
meanwhile on the slide 157 of the BRKENS-3555 the is more clear statement about protections SISF does:

no DAI functionality

Re: device-tracking mode guard vs legacy DAI

jedolphi — Tue, 14 Jan 2025 09:56:46 GMT

Instead of comparing exact functionality of the two, perhaps it's better to focus on outcomes.. The two things are implemented differently. What specific outcomes are we trying to compare?

DAI relies on DHCP Snooping table, which is not distributed across the ENs (Fabric Edge Nodes).

SISF binding table is distributed across the ENs via LISP.

In DAI, if a corresponding entry (src MAC / IP) is not present from DHCP snooping, the incoming ARP is dropped. It will dropped as long as no DHCP entry in the table.

In SISF/SDA case, if corresponding entry is not present in SISF binding table, the incoming ARP packet will be dropped until the source is verified and MAC-IP binding integrity is confirmed. This does not rely on binding learned from the DHCP.

Re: device-tracking mode guard vs legacy DAI

Andrii Oliinyk — Tue, 14 Jan 2025 12:08:45 GMT

Hi Jerom
General idea was leverage maximum of SIFS in any environment not only LISP'ed those. Some customers like DAI much :0) But from recent studying of the topic it doesn sound nowadays SISF is able to replace it.
btw, let me to correct u, but static ip-source-bindings or ARP-ACLs allow bypassing lack of DHCPs-binding entries within DAI-framework.

Re: device-tracking mode guard vs legacy DAI

jedolphi — Tue, 14 Jan 2025 14:28:20 GMT

Right, sorry, ask an SDA guy a general question and he gives an SDA answer, even though it was not an SDA question, my mistake!

There is overlap between DAI and SISF DT, but not full parity yet e.g.

Both can protect against invalid IP-MAC pairs
DAI can do burst limits, DT does it differently
DAI learns from DHCP snooping, DT learns from gleaning DHCP and ARP
DAI can shut violated port, DT not. Etc...

Re: device-tracking mode guard vs legacy DAI

Andrii Oliinyk — Tue, 14 Jan 2025 14:25:47 GMT

hopefully i'll make to the time when Cisco includes DAI into SIFS ;0)
thank you for your hints.
To everyone who is interesting in the topic i've found nice w/p on the CCO
Cisco Catalyst 9000 Family Switch Integrated Security Features (SISF) White Paper - Cisco

Re: device-tracking mode guard vs legacy DAI

MHM Cisco World — Tue, 14 Jan 2025 15:15:25 GMT

No we thanks to you for this very informal Q.

Keep ask

Thanks again

Have a nice day

MHM