01-10-2025 08:51 AM
reading Feature history of SISF Security Configuration Guide, Cisco IOS XE Dublin 17.12.x (Catalyst 9400 Switches) - Configuring Switch Integrated Security Features [Support] - Cisco i have a feeling that device-tracking mode guard is an alternative to legacy DAI.
Unfortunately official documentation is not quite detailed on topic. Can anyone please shed a light on it?
Solved! Go to Solution.
01-14-2025 06:18 AM - edited 01-14-2025 06:28 AM
Right, sorry, ask an SDA guy a general question and he gives an SDA answer, even though it was not an SDA question, my mistake!
There is overlap between DAI and SISF DT, but not full parity yet e.g.
01-13-2025 12:00 AM
I dont think it same as DAI but it same as IPSG where it check IP-MAC for data packet not as DAI check only ARP packet
MHM
01-13-2025 01:15 AM - edited 01-13-2025 01:17 AM
Yes, it does fulfil the same role as DAI. See the following portion of the SISF documentation: Example: Detecting and Preventing Spoofing
01-13-2025 01:58 AM
i tend to stay w/ same interpretation. but it seems like we have dispute here...
01-13-2025 02:10 AM
Both DAI and IPSG match mac to IP' the different is DAI is inspect only ARP packet where IPSG inspect data packet.
MHM
01-13-2025 04:04 AM - edited 01-13-2025 04:11 AM
Do you have anything to add here @jedolphi?
I really liked the BRKENS-3555 presentation and figure you might have something to add to this discussion.
01-13-2025 07:47 AM
thanks for calling @jedolphi
would appreciate hearing from him
meanwhile on the slide 157 of the BRKENS-3555 the is more clear statement about protections SISF does:
no DAI functionality
01-14-2025 01:56 AM
Instead of comparing exact functionality of the two, perhaps it's better to focus on outcomes.. The two things are implemented differently. What specific outcomes are we trying to compare?
DAI relies on DHCP Snooping table, which is not distributed across the ENs (Fabric Edge Nodes).
SISF binding table is distributed across the ENs via LISP.
In DAI, if a corresponding entry (src MAC / IP) is not present from DHCP snooping, the incoming ARP is dropped. It will dropped as long as no DHCP entry in the table.
In SISF/SDA case, if corresponding entry is not present in SISF binding table, the incoming ARP packet will be dropped until the source is verified and MAC-IP binding integrity is confirmed. This does not rely on binding learned from the DHCP.
01-14-2025 04:08 AM
Hi Jerom
General idea was leverage maximum of SIFS in any environment not only LISP'ed those. Some customers like DAI much :0) But from recent studying of the topic it doesn sound nowadays SISF is able to replace it.
btw, let me to correct u, but static ip-source-bindings or ARP-ACLs allow bypassing lack of DHCPs-binding entries within DAI-framework.
01-14-2025 06:18 AM - edited 01-14-2025 06:28 AM
Right, sorry, ask an SDA guy a general question and he gives an SDA answer, even though it was not an SDA question, my mistake!
There is overlap between DAI and SISF DT, but not full parity yet e.g.
01-14-2025 06:25 AM
hopefully i'll make to the time when Cisco includes DAI into SIFS ;0)
thank you for your hints.
To everyone who is interesting in the topic i've found nice w/p on the CCO
Cisco Catalyst 9000 Family Switch Integrated Security Features (SISF) White Paper - Cisco
01-14-2025 07:15 AM
No we thanks to you for this very informal Q.
Keep ask
Thanks again
Have a nice day
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide