Solved: Dynamic ARP Inspection + IP Source Guard (bypass DHCP Snooping table ?)

SJ K · ‎09-19-2017

Hi all,

Consider the following scenario

- I have 2 switches, A and B. IP DHCP snooping only turned on SwitchA.

- PC A is originally connected to SwitchA , retrieve DHCP assigned from uplink of Switch A (say Router A)

- DHCP binding table is populated with PC-A binding.

......... Sometime later ........

- User move PC-A and plug it into Switch B which has no IP DHCP Binding database.

q1) Does that means PC-A can still communicate freely with any host on SwitchB , but will fail to communicate with host connected on Switch A ?

q2) if I connect Switch-B to switch-A ( via LACP - po1 ) and turn on IP DHCP Snooping on Switch-B, is the DHCP snooping database from switch-A able to share/transfer to Switch-B (maybe all the bindings from A will have their port change to po1 in switch-B ) ?

-- just wondering.

Regards,
Noob

Flavio Miranda · ‎09-20-2017

I think I got your point.

If you put the PC-A on the Switch B if static IP address, it wont work, you are right.

But, if PC-A is connected to switch-B and renew its IP address using DHCP, DHCP binding database must be released and so IP source guard database.

The free port on Switch-A, where PC-A was connected, must not be considered anymore on the database, after all, there will be not mac address there anymore.

At the same time, when the DHCP request from PC-A, now on switch-B, comes from Po1 between switch-A and B, should inform Switch-A that PC-A is now connected in another Switch if Po1 has ip dhcp snooping trust on it.

View solution in original post

Flavio Miranda · ‎09-19-2017

Hi,

q1) Does that means PC-A can still communicate freely with any host on SwitchB , but will fail to communicate with host connected on Switch A ?

No. First of all, PC-A will communicate with any host whether in Switch B or A if it gets an IP Address from Router A. If it gets the IP address from DHCP or have a static IP configured, it will communicate with any host on both Switches if they on the same broadcast domain.

If you have different VLANs on thoses Switch, things change and PC-A will communicate only with those PCs on the same VLANs, unless they have a layer 3 router as gateway doing inter vlan route.

q2) if I connect Switch-B to switch-A ( via LACP - po1 ) and turn on IP DHCP Snooping on Switch-B, is the DHCP snooping database from switch-A able to share/transfer to Switch-B (maybe all the bindings from A will have their port change to po1 in switch-B ) ?

By connecting both switchs, enabling DHCP snooing also on Switch B and defining Po1 as trusted port, switch B will create its own Binding database. Only DHCP offers coming from Po1 will be accepted, the same way Switch A will accepct DHCP offer from router interface.

DHCP snooping works per VLAN and you can have different VLANs on both Switch.

SJ K · ‎09-20-2017

No. First of all, PC-A will communicate with any host whether in Switch B or A if it gets an IP Address from Router A. If it gets the IP address from DHCP or have a static IP configured, it will communicate with any host on both Switches if they on the same broadcast domain.

Router A was connected only to switch A.
PC-A was plug originally at switch A. The dhcp binding was recorded only at switchA and no trust is configured between switchA and B. If PC-A is move to switchB and try to communicate with another host connected to switchA, it will failed the IP Source guard check in SwitchA isn't it ?
How could it possibly talk to any host on switchA ?

Flavio Miranda · ‎09-20-2017

As I said, considering PC-A has an IP address, the communication will take place normally. When you ping PC-B from PC-A the first thing it will to is send an arp request as FF:FF:FF:FF:FF:FF as destination address. Source address will be its own Mac Address. Switch B will flood in all its ports on the same vlan and this incluse the port connected to Switch A.

Switch A will receive the broadcast request and do the same on its own ports until the broadcast hits PC-B. PC-B will response with its own Mac address as source and PC-A Mac address as the destination.

Then, the ping packet will be send from A to B.

DHCP snooping and IP Source Guard is related to DHCP traffic. Once PC-A has an IP address already, this mechanism does not play role any more.

SJ K · ‎09-20-2017

I thought IP Source guard will check the DHCP binding database to see if PC-A's IP is coming from the right interface as listed in the binding database ?

If PC-A was connected to Switch A port0 and the binding database is recorded as such, moving PC-A to switchB and trying to let PC-A communicate with a host on switchA will fail , isn't it ?

There is no such trust setup between Switch-A and B, when PC-A on switchB transverse through the port-channel to SwitchA, SwitchA's IP source guard, checking its binding database see that PC-A is coming from other place other then port0 (as listed in its binding) will drop the frame , isnt' it ?

It seems like you are saying once PC-A has an IP, IP source guard no longer play a part.

Flavio Miranda · ‎09-20-2017

I think I got your point.

If you put the PC-A on the Switch B if static IP address, it wont work, you are right.

But, if PC-A is connected to switch-B and renew its IP address using DHCP, DHCP binding database must be released and so IP source guard database.

The free port on Switch-A, where PC-A was connected, must not be considered anymore on the database, after all, there will be not mac address there anymore.

At the same time, when the DHCP request from PC-A, now on switch-B, comes from Po1 between switch-A and B, should inform Switch-A that PC-A is now connected in another Switch if Po1 has ip dhcp snooping trust on it.

SJ K · ‎09-20-2017

Hi Flavio , yeap that's what I meant.
Thank you!