Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17382
Views
35
Helpful
8
Replies

DHCP Snooping and Static IP addresses

Go to solution
kellycolina
Level 1
Level 1

‎03-13-2013 02:36 PM - edited ‎03-07-2019 12:13 PM

Hi,

I'm testing the DHCP snooping feature and I don't understand why is blocking my devices with static IP.

What I can understand from cisco documentation is that DHCP snooping will inspection ONLY DHCP messages send from untrusteds ports, if it only check DHCP messages why is dropping the packets comming from an static IP device, being static is not sending any DHCP message.

Or DHCP snooping is using the DHCP messages to create the binding database and then it will inspection all IP packets coming from untrusted ports and compare them against the binding database?

Could someone make this more clear for me?

Thanks

Kelly

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎03-13-2013 02:42 PM

Hi Kelly,

Do you by chance also run Dynamic ARP Inspection or IP Source Guard? Both these security measures use the database created by DHCP Snooping, and if a station is using a static IP address, there is no record about it in the DHCP Snooping database, causing that station's traffic to be dropped.

The DAI is configured using ip arp inspection commands while IPSG will exhibit itself using ip verify source commands. Check for these in your configuration!

Best regards,

Peter

View solution in original post

8 Replies 8

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎03-13-2013 02:42 PM

Hi Kelly,

Do you by chance also run Dynamic ARP Inspection or IP Source Guard? Both these security measures use the database created by DHCP Snooping, and if a station is using a static IP address, there is no record about it in the DHCP Snooping database, causing that station's traffic to be dropped.

The DAI is configured using ip arp inspection commands while IPSG will exhibit itself using ip verify source commands. Check for these in your configuration!

Best regards,

Peter

Go to solution
kellycolina
Level 1
Level 1
In response to Peter Paluch

‎03-13-2013 02:50 PM

Yes I had ip arp inspection enabled , I disable it and my static IP device is working now.

Thanks!!!

Kelly

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to kellycolina

‎03-13-2013 03:02 PM

Hello Kelly,

I am very happy to be of help!

By the way, there is also an option of manually adding the IP/MAC mappings for the purposes of the Dynamic ARP Inspection, allowing a static IP to be used together with DAI. Check the following document for more information:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swdynarp.html#wp1039773

As the DAI is a fine protection technique against ARP Spoofing, it would be sad to leave it deactivated

Best regards,

Peter

Go to solution
kellycolina
Level 1
Level 1
In response to Peter Paluch

‎03-14-2013 06:43 AM

Hi Peter,

I'm now testing the DAI and I don't understand something, cisco documentation says DAI will drop ARP packets with invalid IP-to-MAC address binding, and the example they always show is an attack from a host simulating a valid IP with a different MAC

But when I do my test the result is that it doesn't care if it's a valid IP with a different MAC, as long as the entry is not in the binding database it drops the packet. I mean I'm connecting a device with an IP and MAC that is not in the binding database and I try to ping and it drops the packets, if I do "ip arp inspection trust" in the interface then I can succesfully ping.

So can I conclude thet DAI will drop any packet coming from an IP and/or MAC that's not in the DHCP snooping binding table?

Thanks,

Kelly

0 Helpful

Go to solution
sgouldbo
Level 1
Level 1
In response to kellycolina

‎03-14-2013 08:06 AM

Hi Kelly,

Your conclusions are right.

As stated below:

"Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses."

You will need to configure ARP ACLs to manually map the IP-MACs for Non-DHCP clients.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swdynarp.html#wp1039773

Hope that you find it useful.

Go to solution
kellycolina
Level 1
Level 1
In response to sgouldbo

‎03-14-2013 08:43 AM

Hi Sony,

Thanks for confirming my conclusions.

Anotehr thing... I'm testing now IP source guard, and from the test I have the feeling is exactly the same as dynamic arp inspection.

Cisco docs says:

"You can use IP source guard to prevent traffic attacks if a host tries to use the IP address of its neighbor."

Well as my previous test I'm connecting a device with a different MAC and IP from the ones in the binding table and it drops the packets.

This is my config:

I have ip dhcp snooping and ip arp inspection enable on my switch.


interface GigabitEthernet1/0/18

switchport access vlan 350

switchport mode access

ip arp inspection trust

ip verify source

sh ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

00:00:89:D4:6C:81   192.168.79.67    31          dhcp-snooping   350   GigabitEthernet2/0/23

00:00:89:D4:6C:82   192.168.79.68    36          dhcp-snooping   350   GigabitEthernet2/0/24

Total number of bindings: 2

sh ip verify source

Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan

---------  -----------  -----------  ---------------  -----------------  ----

Gi1/0/18   ip           active       deny-all                            350

Gi2/0/23   ip           active       192.168.79.67                       350

Gi2/0/24   ip           active       192.168.79.68                       350

I have a traffic generator connected to the port g1/0/18, the interface in the generator is not enable, so the interface is not sending any IP traffic why the ip source guard is putting my port in deny-all? it shouldn't wait to receive an IP packet in order to do that?

Or IP source guard is going to set all ports that does not have an entry on the DHCP snooping database to "deny-all"???

Thanks,

Kelly

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to kellycolina

‎03-14-2013 08:58 AM

Hi Kelly,

So can I conclude thet DAI will drop any packet coming from an IP and/or MAC that's not in the DHCP snooping binding table?

To be precise, DAI will drop any ARP packet whose IP/MAC combination in either the source or the target section does not match the IP/MAC binding in the DHCP Snooping database, or if the IP/MAC can not be found in the database at all.

Or IP source guard is going to set all ports that does not have an entry on the DHCP snooping database to "deny-all"???

It definitely seems so

Best regards,

Peter

Go to solution
kellycolina
Level 1
Level 1
In response to Peter Paluch

‎03-14-2013 09:54 AM

Thanks so much for your help both of you!!!

Kelly

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card