cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
455
Views
4
Helpful
11
Replies

device-tracking mode guard vs legacy DAI

reading Feature history of SISF Security Configuration Guide, Cisco IOS XE Dublin 17.12.x (Catalyst 9400 Switches) - Configuring Switch Integrated Security Features [Support] - Cisco i have a feeling that device-tracking mode guard is an alternative to legacy DAI.
Unfortunately official documentation is not quite detailed on topic. Can anyone please shed a light on it?

1 Accepted Solution

Accepted Solutions

Right, sorry, ask an SDA guy a general question and he gives an SDA answer, even though it was not an SDA question, my mistake!

There is overlap between DAI and SISF DT, but not full parity yet e.g.

  • Both can protect against invalid IP-MAC pairs
  • DAI can do burst limits, DT does it differently
  • DAI learns from DHCP snooping, DT learns from gleaning DHCP and ARP
  • DAI can shut violated port, DT not. Etc...

 

 

 

 

View solution in original post

11 Replies 11

I dont think it same as DAI but it same as IPSG  where it check IP-MAC for data packet not as DAI check only ARP packet 

MHM

Torbjørn
VIP
VIP

Yes, it does fulfil the same role as DAI. See the following portion of the SISF documentation: Example: Detecting and Preventing Spoofing 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

i tend to stay w/ same interpretation. but it seems like we have dispute here...

Both DAI and IPSG match mac to IP' the different is DAI is inspect only ARP packet where IPSG inspect data packet.

MHM

Do you have anything to add here @jedolphi?
I really liked the BRKENS-3555 presentation and figure you might have something to add to this discussion.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

thanks for calling @jedolphi 
would appreciate hearing from him
meanwhile on the slide 157 of the BRKENS-3555 the is more clear statement about protections SISF does:

andydoesntlikeuucp_0-1736783166603.png

no DAI functionality

 


 

jedolphi
Cisco Employee
Cisco Employee

Instead of comparing exact functionality of the two, perhaps it's better to focus on outcomes.. The two things are implemented differently. What specific outcomes are we trying to compare?

DAI relies on DHCP Snooping table, which is not distributed across the ENs (Fabric Edge Nodes).

SISF binding table is distributed across the ENs via LISP.

In DAI, if a corresponding entry (src MAC / IP) is not present from DHCP snooping, the incoming ARP is dropped. It will dropped as long as no DHCP entry in the table.

In SISF/SDA case, if corresponding entry is not present in SISF binding table, the incoming ARP packet will be dropped until the source is verified and MAC-IP binding integrity is confirmed. This does not rely on binding learned from the DHCP.

 

Hi Jerom
General idea was leverage maximum of SIFS in any environment not only LISP'ed those. Some customers like DAI much :0) But from recent studying of the topic it doesn sound nowadays SISF is able to replace it.
btw, let me to correct u, but static ip-source-bindings or ARP-ACLs allow bypassing lack of DHCPs-binding entries within DAI-framework.
 

 

Right, sorry, ask an SDA guy a general question and he gives an SDA answer, even though it was not an SDA question, my mistake!

There is overlap between DAI and SISF DT, but not full parity yet e.g.

  • Both can protect against invalid IP-MAC pairs
  • DAI can do burst limits, DT does it differently
  • DAI learns from DHCP snooping, DT learns from gleaning DHCP and ARP
  • DAI can shut violated port, DT not. Etc...

 

 

 

 

hopefully i'll make to the time when Cisco includes DAI into SIFS ;0)
thank you for your hints.
To everyone who is interesting in the topic i've found nice w/p on the CCO
Cisco Catalyst 9000 Family Switch Integrated Security Features (SISF) White Paper - Cisco

No we thanks to you for this very informal Q.

Keep ask 

Thanks again 

Have a nice day 

MHM

Review Cisco Networking for a $25 gift card