About Dynamic ARP Inspection - ARP Access list

HungSmecta · ‎05-27-2019

Hi Brothers !!

Please to meet all of You :D

I have a question about Dynamic ARP Inspection -ACL on Switch 2960x.

For example, my config on Switch:

arp access-list ARP100

permit ip host 10.3.3.10 mac host H.H.H.H

permit ip host 10.3.3.11 mac host A.A.A.A

exit

ip arp inspection filter ARP100 vlan 100

ip arp inspection vlan 100

ip arp inspection validate src-mac dst-mac ip.

--------------------------------------------------

My Pc access vlan mangement (Vlan254) on switch Core , i can ping to IP-Management (Vlan254) of 2960x and IP in ACL ARP100.

The problem occurred:

- When I config " no permit ip host 10.3.3.10 mac host H.H.H.H" on Switch and "Wr".

- Show log on Switch: "1 Invalid ARPs (Req) on Gi1/0/13, vlan 100 ([H.H.H.H/10.3.3.10 ....])"

- But my Pc still can Ping IP 10.3.3.10 !!! Success and Nothing happened with IP 10.3.3.10.

If i config Dynamic ARP Inspection on Switch SG300, SG352 ... DAI will drop ARP immediately when i removed that IP (10.3.3.10) in ARP-ACL.

So what happend with my config, my switch or firmware ??

Thanks for your reading !

Please ! Tell me how i can test or fix that.?!

Best Regards !

pieterh · ‎05-27-2019

For Dynamic ARP inspection to function, DHCP snooping need to be configured first

it uses data from the the DHCP snooping database.

DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

HungSmecta · ‎05-27-2019

Thanks for your answer Pieterh !

Yeah i know, but in my company we don"t use DHCP Server, we allocate static ip ( Bind IP to MAC) . I config DAI with non DHCP enviroment, follow step by step-cisco userguide.

DAI will check ARP packet match with ARP Access list we create by hand.

And i don"t know what happend with my Switch 2960x. ( DAI still work on my Switch SG350)

Best Regards

Giuseppe Larosa · ‎05-27-2019

Hello Hung,

I'm sorry for the dumb question :after you make the change in the ARP access-list have you cleared the ARP table on your PC?

I mean if the PC has already the ARP entry in local table it doesn't need to perform ARP request for the other host and the ping can still work even if the device is now not permitted to perform ARP requests.

Hope to help

Giuseppe

HungSmecta · ‎05-27-2019

Dear Mr.Giuseppe Larosa.

Thank you for your help! That's a good idea. I will try your way ( clear ARP cache on the PC)

But i have an unknown problem:

- On Switch SG350, when i remove IP/MAC(vlan100) out of ARP Access-list , my PC (vlan254) ping fail that PC ( vlan100) immediately.

- On Switch 2960x, like as above, my PC(vlan254) still can Ping PC(Vlan 100). ???

if i don't clear ARP cache on PC (vlan100) then Switch SG350 can still ping like Switch 2960 ?

P/s: + Port connect with my Pc( vlan 254) is trusted port

+ Port connect with PC(vlan100) is unstrusted port. And Arp inspection in vlan100.

Best Regards!