cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
678
Views
10
Helpful
6
Replies
Enthusiast

Dynamic ARP Inspection - does it check port in the binding database?

Hi all,

It is mentioned that DAI check for correct IP/MAC combination using the DHCP binding database.
It is also mentioned that DAI is turn on for an entire vlan and not as per port basis.

 

q1) if PCA (macA,ipA) was originally connected to port1 ( binding - macA,ipA,port1 ) and PCA was relocated to port2 with its original macA,ipA. 

Will DAI take port into consideration when checking the binding in the database ?  Will DAI block PCA now, since it is on port2 - but PCA (macA, ipA still remain the same)

 

q2) whats the point of having DAI when we can enable IP Source with port security ?

 

Regards,

Noob

6 REPLIES
Beginner

Re: Dynamic ARP Inspection - does it check port in the binding database?

SJ,

 

DAI allows or disallows ARP packets based on the IP-to-MAC binding in the trusted database, which is built via DHCP snooping, or an ACL. As the name implies, DAI is only concerned with ARP traffic. DAI will therefore not usually block a port - only ARP packets received on that port. The port may be placed into the error-disabled state only if the ARP rate limit is exceeded.

 

To expand on your scenario a bit, when a workstation configured for DHCP is moved from one port to another it needs to be disconnected. After it is reconnected, the workstation will verify that it's DHCP address is still valid. This new DHCP assignment (or re-assignment) will be snooped by the switch and the IP-to-MAC binding will be entered into the trusted database. DAI will then allow valid ARP packets based on the new information. If the workstation is configured with a static IP Address, then DAI will have needed an ACL to work in the first place and this ACL will not have changed as neither the IP or MAC addresses changed.

 

DAI, IP Source Guard, and port-security are three different tools used to enforce security. DAI validates IP-to-MAC binding, IP Source Guard validates IP-to-switchport binding, and port-security validates MAC-to-switchport binding. They are all different and it is up to your oganization to determine the acceptable level or risk and administrative overhead.

Enthusiast

Re: Dynamic ARP Inspection - does it check port in the binding database?

Hi Thepaan01,

Thanks for your precise explaination.

 

I made an experiment earlier with arp inspection on + pc with static ip.  The PC cannot send traffic as it did not have a binding in the dhcp binding database.

 

Then i added a static binding for the PC using

ip source binding

and the traffic went through. 

q1) Does DAI check ip source binding table or  dhcp snooping binding table ?  Is there any difference between the 2 ?

 

q2) If adding static entry into ip source binding table works for DAI, why would be the benefit to use an ACL instead ?

=======================

 

For IP source guard with "port-security" ,  i read that option82 needs to be turn on. Why is that so ? I read but i could not understand the port whereby the switch need to get back to the Host.

 

q3) Would't the switch already have the Host Mac address when the Host 1st make its DHCP request ?

 

 

Really look forward to see your advice.

 

Thank you!

Beginner

Re: Dynamic ARP Inspection - does it check port in the binding database?

SJ,

 

The trusted database built from DHCP snooping is the same entity used by both DAI and IP Source Guard.

 

As you demonstrated in your scenario, 'ip source binding [MAC] vlan [VLAN] [IP] int [interface]' creates a static binding in the trusted database. The database can be used by either DAI or Source Guard.

  -  Source Guard dynamically creates a PACL from the trusted database and applies it to the interface. You can manually crate a PACL and apply it to the interface instead.

  -  DAI permits or blocks ARP traffic internally on the switch because ARP traffic cannot be blocked by a PACL. Using an ARP ACL in this case is just an alternative to a static trusted database entry. One reason I can think of why it may be better to use an ARP ACL is compartmentalization. By separating static and dynamic entries, you reduce the chances that changes to one will impact the other.

 

When Source Guard is enabled, the switch does not learn the MAC address of the connected device until a DHCP address is assigned. DHCP option 82 is used by the switch to store port information so that it knows where to send the DHCP offer and acknowledgement.

Enthusiast

Re: Dynamic ARP Inspection - does it check port in the binding database?

Hi thepaan01,


Glad to see your around and thank you for your reply.

When Source Guard is enabled, the switch does not learn the MAC address of the connected device until a DHCP address is assigned. DHCP option 82 is used by the switch to store port information so that it knows where to send the DHCP offer and acknowledgement

 

Can i check if just "port-security with dynamic learning" alone  is turn on,  is the Host's mac address inserted into the CAM table upon the 1st DHCP request ?

  

Why does the behaviour change (need to wait until a DHCP lease is accquire) when IP source guard + port security is turn on ?  Would there be any difference ?

 

Regards,

Noob

Beginner

Re: Dynamic ARP Inspection - does it check port in the binding database?

SJ,


We're getting quite deep into the nitty-gritty here. :)
With IP Source Guard enabled, all IP traffic is initially blocked except for DHCP traffic. The mechanism by which this blocking occurs is by changing the behavior of MAC learning. If the switch were to learn the MAC address before a DHCP address was assigned (or a static binding was entered in the trusted database), then an attacker could simply statically assign their rogue host an IP and begin communicating on the local segment. The blocking is removed when the PACL is dynamically created and applied to the interface - when the trusted database is updated with either a static binding or one learned via DHCP snooping.

 

If you want to check it, I think the following procedure would work.
First, enable logging and create an access list to match DHCP packets.

Swx1#conf t
Swx1(config)#service timestamps debug
Swx1(config)#service timestamps log
Swx1(config)#logging mon 7
Swx1(config)#logging con 7
Swx1(config)#ip access-list standard 100
Swx1(config-std-nacl)#10 permit ip host 0.0.0.0 host 255.255.255.255
Swx1(config-std-nacl)#end
Swx1#wr

Then, request the monitor and enable relevant debugging.

Swx1#term mon
Swx1#debug ip packet detail 100
Swx1#debug matm add

Finally, connect your host and observe the messages.

 

VIP Advisor

Re: Dynamic ARP Inspection - does it check port in the binding database?

Hello

 

q1) if PCA (macA,ipA) was originally connected to port1 ( binding - macA,ipA,port1 ) and PCA was relocated to port2 with its original macA,ipA. 

Will DAI take port into consideration when checking the binding in the database ?  Will DAI block PCA now, since it is on port2 - but PCA (macA, ipA still remain the same) -  YES it will get blocked unless the Snooping D/B is changed due to the relocation - or you apply a static DAI  filter as this is checked before the switch checks the Snooping D/B

q2) whats the point of having DAI when we can enable IP Source with port security ?
DAI is a layer 2 feature IPSG is L3

res
Paul





kind regards
Paul

Please don't forget to rate any posts that have been helpful.
CreatePlease to create content
Ask the Expert- Firepower configuration & troubleshooting