Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13281
Views
16
Helpful
2
Replies

Dynamic arp inspection and static ip address.

Go to solution
sarahr202
Level 5
Level 5

‎07-26-2012 09:04 PM - edited ‎03-07-2019 08:00 AM

Hi everybody

h1--------f1/1SW----rest of network

h1 is statically configured with 199.199.199.1/24.  We want to use Dynamic arp inspection on sw to guard against forged arp replies.

My book says for statically configured hosts such as h1, we can use arp access list . For example:

arp access-list ruby

permit ip host 199.199.199.1 mac host aaaa:bbbb:cccc

ip arp filter inspection filter ruby vlan 1

========================================================================

The only reason we had to use the above method because there was no dhcp binding for statically configured h1.

What if we can create static dhcp binding as:

switch(config) ip dhcp snooping binding aaaa:bbbb:cccc vlan 1 199.199.199.1 int f1/1expire 10000

Next we configure dhcp snooping as shown below:

Switch(config) ip dhcp snooping

switch(config ) ip dhcp snooping vlan 1

will it work? Can we do that rather than using the first method( i.e using arp access list ruby) ?

thanks and have a great day.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-27-2012 06:25 AM

Hello Sarah,

in theory the second method should work, the key point is that DHCP snooping has to be enabled otherwise the manual entry is not used by DAI.

I have never tested this, To be noted that the dhcp binding involves also the specific port to which the host is connected making it less practical. If later LAN cables are swapped the ARP ACL can still work if both ports are in Vlan 1, the dhcp binding entry would not work anymore if the host is now connected to a different switch port.

This might be the reason why in documentation this approach is not explicitly mentioned.

To be noted that  if the ARP ACL is not invoked using the static keyword, DAI can try to match the pair IP source address/ source MAC address with the DHCP database after having processed the ARP ACL.

>>If you do not specify this keyword, it means that  there is no explicit deny in the ACL that denies the packet, and DHCP  bindings determine whether a packet is permitted or denied if the packet  does not match any clauses in the ACL.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/configuration/guide/swdynarp.html#wp1039773

So the two methods may even coexist with some entries specified in the ARP ACL and other ones in the DHCP snooping table as dhcp manual bindings.

Hope to help

Giuseppe

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-27-2012 06:25 AM

Hello Sarah,

in theory the second method should work, the key point is that DHCP snooping has to be enabled otherwise the manual entry is not used by DAI.

I have never tested this, To be noted that the dhcp binding involves also the specific port to which the host is connected making it less practical. If later LAN cables are swapped the ARP ACL can still work if both ports are in Vlan 1, the dhcp binding entry would not work anymore if the host is now connected to a different switch port.

This might be the reason why in documentation this approach is not explicitly mentioned.

To be noted that  if the ARP ACL is not invoked using the static keyword, DAI can try to match the pair IP source address/ source MAC address with the DHCP database after having processed the ARP ACL.

>>If you do not specify this keyword, it means that  there is no explicit deny in the ACL that denies the packet, and DHCP  bindings determine whether a packet is permitted or denied if the packet  does not match any clauses in the ACL.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/configuration/guide/swdynarp.html#wp1039773

So the two methods may even coexist with some entries specified in the ARP ACL and other ones in the DHCP snooping table as dhcp manual bindings.

Hope to help

Giuseppe

0 Helpful

Go to solution
asdvads vwe
Level 1
Level 1

‎04-07-2017 01:52 PM

You certainly need this: "ip source binding aaaa.bbbb.cccc vlan 1 192.168.1.100 int f0/10"  

So if you don't use DHCP and bla bla bla, bind your host IP and MAC address to DHCP Snooping database manually, so it will know to allow the specific address to ask for a ARP or any other stuff.

Kind regards, 

Stefan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card