Hi I have set up DAI and IP Source Guard in the following manner. I have provided the output of my show int description for assistance:
Vl1 admin down down
Vl100 up up Management VLAN
Vl200 up up Wireless
Vl300 up up Wired
Vl400 up up Servers
Fa0/1 up up Trunk to Internet_Router
Fa0/2 up up Trunk to AP
Fa0/3 down down Wired Users
Fa0/4 down down Wired Users
Fa0/5 down down Wired Users
Fa0/6 down down Wired Users
Fa0/7 down down Wired Users
Fa0/8 admin down down Unused
Fa0/9 admin down down Unused
Fa0/10 admin down down Unused
Fa0/11 admin down down Unused
Fa0/12 admin down down Unused
Fa0/13 admin down down Unused
Fa0/14 admin down down Unused
Fa0/15 up up Radius,SNMP,SYSLOG,TFTP
ARP Inspection:
Configuration:
ip arp inspection vlan 100,200,300,400
ip arp inspection validate src-mac dst-mac ip
ip arp inspection filter Static_IP's vlan 100,200,300,400
ARP access list Static_IP's
permit ip host 172.16.1.66 mac host 0014.22f0.513f
permit ip any mac host 0013.80e2.a980
"The first statement is to permit my server to reply to arp packets since it's statically configured. The second permit statement I added, but I'm not sure if it's necessary or not. I noticed that all of my SVI's have the same MAC address so I added this statement so they can reply to arp requests. Is this necessary?"
interface FastEthernet0/2
description Trunk to AP
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200,300,400
switchport mode trunk
ip arp inspection trust
spanning-tree portfast trunk
interface FastEthernet0/15
description Radius,SNMP,SYSLOG,TFTP
switchport access vlan 400
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0014.22f0.513f
spanning-tree portfast
With the above configuration static and wired users have absolutely no issues, but I can only get ARP Inspection on my AP trunk if I label it as trusted. I Tried adding static entries for the interfaces assigned to the AP and having the wireless users get matched through the dhcp snooping database which is working, but with this configuration wireless users are denied internet access. Is it possible to set up ARP Inspection on an Autonomous AP, and if so how would I do it?
LAN_SWITCH#Show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
4C:0F:6E:8F:A3:11 172.16.1.6 77633 dhcp-snooping 200 FastEthernet0/2
00:1D:FE:C5:00:89 172.16.1.7 69307 dhcp-snooping 200 FastEthernet0/2
IP Source Guard
I have a similar question for IP Source Guard. Here is my current config:
ip source binding 0014.22F0.513F vlan 400 172.16.1.66 interface Fa0/15
!
interface FastEthernet0/3
description Wired Users
switchport access vlan 300
switchport mode access
switchport port-security
switchport port-security violation restrict
spanning-tree portfast
ip verify source port-security
!
interface FastEthernet0/4
description Wired Users
switchport access vlan 300
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security violation restrict
ip verify source port-security
!
interface FastEthernet0/5
description Wired Users
switchport access vlan 300
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security violation restrict
ip verify source port-security
!
interface FastEthernet0/6
description Wired Users
switchport access vlan 300
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security violation restrict
ip verify source port-security
!
interface FastEthernet0/7
description Wired Users
switchport access vlan 300
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security violation restrict
ip verify source port-security
Do I need to have seperate source bindings for the addresses assigned to the AP? Is it possible to implement it on the AP trunk, and if so how?
Thanks,
Daniel M.
