Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1759
Views
0
Helpful
4
Replies

Home lab - Dynamic ARP Inspection (DAI)

Go to solution
iores
Level 3
Level 3

‎12-14-2021 03:20 AM

Hi,

 

I have the following topology:

 

topology.png

I am trying to configure a simple Dynamic ARP Inspection. This is configuration on the Switch:

 

hostname Switch
!
!
!
!
ip arp inspection vlan 1
!
ip dhcp snooping vlan 1
ip dhcp snooping
!
spanning-tree mode pvst
spanning-tree extend system-id
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
 ip arp inspection trust
 ip dhcp snooping trust
!

This is the output of the show ip dhcp snooping binding command:

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  -----------------
00:E0:F7:03:48:97   10.10.10.10      86400       dhcp-snooping  1     FastEthernet0/1
Total number of bindings: 1

Then, when I add the Attacker's PC with the IP 10.10.10.10. and tried to ping the Default Gateway at 10.10.10.1 (Server), the ping passed. After a few minutes, I tried to ping again but this time it did not passed.

 

However, when I do show ip arp inspection at the Switch, the statistics are 0.

 

What does this mean? Please help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎12-15-2021 01:40 AM - edited ‎12-15-2021 01:41 AM

Hello,

 

DAI in Packet Tracer is very buggy. Your configuration is by the book. I got it to work using your config, in version 8.1, but then all of a sudden it did not work at all anymore, even the DHCP binding database was empty.

 

I remember that in older versions, you had to make the PC port a trusted port in order to get it to work at all (which obviously defeats the purpose of DAI to start out with).

 

So in short, you are running into one of the limitations of Packet Tracer.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
paul driver
VIP
VIP

‎12-15-2021 12:29 AM - edited ‎12-15-2021 12:34 AM

Hello

@iores wrote:

Hi,

Then, when I add the Attacker's PC with the IP 10.10.10.10. and tried to ping the Default Gateway at 10.10.10.1 (Server), the ping passed. After a few minutes, I tried to ping again but this time it did not passed.

When you add a pc do you mean by dhcp allocation, if so then this would be correct as that mac-address is in the snoop D/B.

sh ip source binding

 

To negate such attachment, disable unused ports and possibly apply filter to negate that host.

mac address-table static xxxx.xxxx.xxxx vlan 1 drop

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
iores
Level 3
Level 3
In response to paul driver

‎12-15-2021 01:40 AM - edited ‎12-15-2021 01:41 AM

@paul driver 

 

I first created the topology without the Attacker's PC. The PC0 obtained the IP via DHCP, the binding was recorded, and DAI activated.

 

Then, when I connect the Attacker's PC to the switch with static but the same IP address as PC0, the ping passes. I also tried to use different IP but the same MAC address as PC0, and the ping passed as well.

 

Shouldn't switch block the traffic in such cases due to DAI because there's obvious IP-MAC address mismatch?

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎12-15-2021 01:40 AM - edited ‎12-15-2021 01:41 AM

Hello,

 

DAI in Packet Tracer is very buggy. Your configuration is by the book. I got it to work using your config, in version 8.1, but then all of a sudden it did not work at all anymore, even the DHCP binding database was empty.

 

I remember that in older versions, you had to make the PC port a trusted port in order to get it to work at all (which obviously defeats the purpose of DAI to start out with).

 

So in short, you are running into one of the limitations of Packet Tracer.

0 Helpful

Go to solution
iores
Level 3
Level 3
In response to Georg Pauwen

‎12-15-2021 01:51 AM

@George 

 

George, thank you, I was thinking that something is wrong with my config. I have tried desperately to make it work for the last several days and every time I got the same result.

 

I am relieved now.

0 Helpful
Customers Also Viewed These Support Documents