Solved: Dynamic arp Inspection Behaviour

mahesh18 · ‎01-25-2013

Hi Everyone,

Need to confirm behaviour of Dynamic Arp Inspection below.

A and B are layer 3 switches running HSRP.

Switch A Vlan 10 IP ----------------------- ------------------192.168.10.1

Switch B Vlan 10 IP ------------------------------------------192.168.10.2

HSRP Active Switch A VLAN 10 IP------------------ 192.168.10.3

Switch C Vlan 10 IP 192.168.10.5

Both A and B and C switch have DHCP snopping configured for vlan 10.

Trunk ports between And B and between A and C are configured as DHCP snoooping trust.

DHCP is configured on Layer 3 A switch.

Switch C is Layer 2 and has trunk connection to Switch A only.

Now i enabled dynamic arp inspection only on switch A for vlan 10.

No port is trusted for dynamic arp inspection on any 3 switches

Ping results from switch C to Vlan 10 SVI IP addresses

SwitchC#ping 192.168.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

SwitchC#ping 192.168.10.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

SwitchC#ping 192.168.10.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Now i need to understand how first 2 pings are successfull?

So when ping traffic comes from Switch C to Switch A on trunk port that has no Dynamic arp inspection trust enabled shoudn't that traffic be

dropped?

As DAI checks only traffic entering the switch right ?

Second need to understand when Ping from Switch C to IP 192.168.10.2 Failed ?

Does the ping traffic stops at switch A only and it never reaches Switch B ?

Here is logs from Switch A

Jan 25 22:32:36.760 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/24, vlan 10.([000b.bece.bbc0/192.168.10.5/0000.0000.0000/192.168.10.2/22:32:36 MST Fri Jan 25 2013])

Jan 25 22:32:38.760 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/24, vlan 10.([000b.bece.bbc0/192.168.10.5/0000.0000.0000/192.168.10.2/22:32:3a0/24, vlan 10.([000b.bece.bbc0/192.168.10.5/0000.0000.0000/192.168.10.2/22:32:3

Thanks

MAhesh

paul driver · ‎01-26-2013

Hello,

please see below,

Now i need to understand how first 2 pings are successfull?

So when ping traffic comes from Switch C to Switch A on trunk port that has no Dynamic arp inspection trust enabled shoudn't that traffic be

dropped? - DIA is not in affect on Switch B or C so I guess switch A DAI ignores these inteface trunks and the reason why the first two pings were sucessfull was becasue Switch A and Switch C are directly connected with cached bindings.

As DAI checks only traffic entering the switch right ? Wrong - its checks the dhcp snooping database and if no valid ip-mac entries exist for a particular host it will be dropped( Howerver,the snoopingD/B can be bypassed if you statically assign DAI via vlan staitc or vlan-filter lists commands)

Second need to understand when Ping from Switch C to IP 192.168.10.2 Failed ? - As stated DIA is enabled on switch A and wont have any ip-mac entires from a host on SWC to Host on SWB

Does the ping traffic stops at switch A only and it never reaches Switch B? Again Switch A is subject to DAI and if a arp entry is invalid in relating the snooping DB it will be dropped

In this senario I would enable DAI on all 3 switches and trust the uplinks

Note:

I am sure other posters will comment If i have misgudied you in my understanding of this subject.

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎01-26-2013

Hello,

You have just answered you own question Mahesh, all will be dropped between the switches if links are untrusted.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dynarp.html

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎01-26-2013

Hello,

please see below,

Now i need to understand how first 2 pings are successfull?

So when ping traffic comes from Switch C to Switch A on trunk port that has no Dynamic arp inspection trust enabled shoudn't that traffic be

dropped? - DIA is not in affect on Switch B or C so I guess switch A DAI ignores these inteface trunks and the reason why the first two pings were sucessfull was becasue Switch A and Switch C are directly connected with cached bindings.

As DAI checks only traffic entering the switch right ? Wrong - its checks the dhcp snooping database and if no valid ip-mac entries exist for a particular host it will be dropped( Howerver,the snoopingD/B can be bypassed if you statically assign DAI via vlan staitc or vlan-filter lists commands)

Second need to understand when Ping from Switch C to IP 192.168.10.2 Failed ? - As stated DIA is enabled on switch A and wont have any ip-mac entires from a host on SWC to Host on SWB

Does the ping traffic stops at switch A only and it never reaches Switch B? Again Switch A is subject to DAI and if a arp entry is invalid in relating the snooping DB it will be dropped

In this senario I would enable DAI on all 3 switches and trust the uplinks

Note:

I am sure other posters will comment If i have misgudied you in my understanding of this subject.

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mahesh18 · ‎01-26-2013

Hi Paul,

After clearing the arp from switch c i am unable to ping any IP seems reason for that is switch C has vlan 10 SVI and

its gateway was 192.168.10.3 VLAN 10.So as on Switch A there is no IP to MAC mapping all pings ae dropped.

Samething happens when from Switch B i Ping IP 192.168.10.3.

Also From switch A i can not ping Switch C IP 192.168.10.5.

Same reason for this also as there is no IP to MAC mapping and uplinks ports are not DAI trusted.

If somesone can confirm my thought that will be great

Thanks

Mahesh

paul driver · ‎01-26-2013

Hello,

You have just answered you own question Mahesh, all will be dropped between the switches if links are untrusted.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dynarp.html

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mahesh18 · ‎01-26-2013

Hi Paul,

Thanks again for confirming my thoughts.

Best regards

MAhesh