cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18583
Views
35
Helpful
10
Replies

DHCP Snooping and Static IP addresses

kellycolina
Level 1
Level 1

Hi,

I'm testing the DHCP snooping feature and I don't understand why is blocking my devices with static IP.

What I can understand from cisco documentation is that DHCP snooping will inspection ONLY DHCP messages send from untrusteds ports, if it only check DHCP messages why is dropping the packets comming from an static IP device, being static is not sending any DHCP message.

Or DHCP snooping is using the DHCP messages to create the binding database and then it will inspection all IP packets coming from untrusted ports and compare them against the binding database?

Could someone make this more clear for me?

Thanks

Kelly

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hi Kelly,

Do you by chance also run Dynamic ARP Inspection or IP Source Guard? Both these security measures use the database created by DHCP Snooping, and if a station is using a static IP address, there is no record about it in the DHCP Snooping database, causing that station's traffic to be dropped.

The DAI is configured using ip arp inspection commands while IPSG will exhibit itself using ip verify source commands. Check for these in your configuration!

Best regards,

Peter

View solution in original post

10 Replies 10

Peter Paluch
Cisco Employee
Cisco Employee

Hi Kelly,

Do you by chance also run Dynamic ARP Inspection or IP Source Guard? Both these security measures use the database created by DHCP Snooping, and if a station is using a static IP address, there is no record about it in the DHCP Snooping database, causing that station's traffic to be dropped.

The DAI is configured using ip arp inspection commands while IPSG will exhibit itself using ip verify source commands. Check for these in your configuration!

Best regards,

Peter

Yes I had ip arp inspection enabled , I disable it and my static IP device is working now.

Thanks!!!

Kelly

Hello Kelly,

I am very happy to be of help!

By the way, there is also an option of manually adding the IP/MAC mappings for the purposes of the Dynamic ARP Inspection, allowing a static IP to be used together with DAI. Check the following document for more information:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swdynarp.html#wp1039773

As the DAI is a fine protection technique against ARP Spoofing, it would be sad to leave it deactivated

Best regards,

Peter

Hi Peter,

I'm now testing the DAI and I don't understand something, cisco documentation says DAI will drop ARP packets with invalid IP-to-MAC address binding, and the example they always show is an attack from a host simulating a valid IP with a different MAC

But when I do my test the result is that it doesn't care if it's a valid IP with a different MAC, as long as the entry is not in the binding database it drops the packet. I mean I'm connecting a device with an IP and MAC that is not in the binding database and I try to ping and it drops the packets, if I do "ip arp inspection trust" in the interface then I can succesfully ping.

So can I conclude thet DAI will drop any packet coming from an IP and/or MAC that's not in the DHCP snooping binding table?

Thanks,

Kelly

Hi Kelly,

Your conclusions are right.

As stated below:

"Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses."

You will need to configure ARP ACLs to manually map the IP-MACs for Non-DHCP clients.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swdynarp.html#wp1039773

Hope that you find it useful.

Hi Sony,

Thanks for confirming my conclusions.

Anotehr thing... I'm testing now IP source guard, and from the test I have the feeling is exactly the same as dynamic arp inspection.

Cisco docs says:

"You can use IP source guard to prevent traffic attacks if a host tries to use the IP address of its neighbor."

Well as my previous test I'm connecting a device with a different MAC and IP from the ones in the binding table and it drops the packets.

This is my config:

I have ip dhcp snooping and ip arp inspection enable on my switch.


interface GigabitEthernet1/0/18

switchport access vlan 350

switchport mode access

ip arp inspection trust

ip verify source

sh ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

00:00:89:D4:6C:81   192.168.79.67    31          dhcp-snooping   350   GigabitEthernet2/0/23

00:00:89:D4:6C:82   192.168.79.68    36          dhcp-snooping   350   GigabitEthernet2/0/24

Total number of bindings: 2

sh ip verify source

Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan

---------  -----------  -----------  ---------------  -----------------  ----

Gi1/0/18   ip           active       deny-all                            350

Gi2/0/23   ip           active       192.168.79.67                       350

Gi2/0/24   ip           active       192.168.79.68                       350

I have a traffic generator connected to the port g1/0/18, the interface in the generator is not enable, so the interface is not sending any IP traffic why the ip source guard is putting my port in deny-all? it shouldn't wait to receive an IP packet in order to do that?

Or IP source guard is going to set all ports that does not have an entry on the DHCP snooping database to "deny-all"???

Thanks,

Kelly

Hi Kelly,

So can I conclude thet DAI will drop any packet coming from an IP and/or MAC that's not in the DHCP snooping binding table?

To be precise, DAI will drop any ARP packet whose IP/MAC combination in either the source or the target section does not match the IP/MAC binding in the DHCP Snooping database, or if the IP/MAC can not be found in the database at all.

Or IP source guard is going to set all ports that does not have an entry on the DHCP snooping database to "deny-all"???

It definitely seems so

Best regards,

Peter

Thanks so much for your help both of you!!!

Kelly

Does it make sense to run DHCP Snooping when all of your IP addresses are statically assigned?  I understand that you would have to add those IP addresses so that DAI and IP Source Guard would work.  Just wondering how much this adds to the security protection.  Trying to get my head around this aspect of protection.  Thanks!!

make new post and list your Q

MHM

Review Cisco Networking for a $25 gift card