ā03-21-2024 01:15 PM
My user traffic is being blocked on my switch (Catalyst 9300) due to the IP ARP INSPECTION requirement from DISA STIG requirements. I don't understand why. Can someone enlighten me as to what I am doing wrong?
Solved! Go to Solution.
ā03-21-2024 08:02 PM - edited ā03-21-2024 08:04 PM
Hello,
Just to make sure how DHCP snooping and Dynamic ARP Inspection work here is a little information:
Dynamic ARP inspection works off the premise of looking up in a database on the switch (either created dynamically or statically with ARP ACLs) to see if certain parameters match, in this case its IP/MAC mapping in an ARP packet.
When a PC sends an ARP request with its IP to MAC mapping the switch checks this database to see if that IP/MAC pair from that interface is valid. This can only work if there is a database to check. Most users opt for the automatic method of employing DHCP Snooping. When a device requests an IP from a DHCP server and gets a response back the switch adds this IP/MAC pair to its IP DHCP snooping table which the DAI refers to.
Also BOTH DHCP Snooping and ARP Inspection utilize what's called trusted/untrusted ports. When you enable these features ALL ports become untrusted and you need to go into the ports specifically to tell them to be trusted.
For DHCP Snooping Trusted means - DHCP Server messages are allowed through
For Dynamic ARP inspection Trusted means - don't check it against the Snooping database
In both instances this is usually applied to trunk ports and upstream interfaces connected to aother network devices (switches, routers, etc)
ip dhcp snooping trust
ip arp inspection trust
I did not see these applied to your trunk interface.
A few notes about operation:
1. DHCP snooping uses two commands to utilize it
ip dhcp snooping <- turns ON DHCP snooping (I didnt see this command in your output)
ip dhcp snooping vlan 116,301 -< This enables it for the selected VLANs (I did see this in your output but won't work unless its turned on with the above command)
2. Dynamic ARP Inspection doesn't need to be "turned on" like DHCP Snooping does so your entry of ip arp inspection vlan 116,301 looks fine.
Can you implement my suggestions (then re-send the config for us to check)
Then clear ports of any port security errors and have a PC go through the process of gettign a DHCP address. Then test to see if that fixes your issue.
-David
ā03-21-2024 03:14 PM
This user is first time connect to SW or it connect before to other port ?
Do
Show ip dhcp snooping binding
See the entry of user mac in which port' only one or there are multi
MHM
ā03-21-2024 03:29 PM
My user traffic is being blocked on my switch (Catalyst 9300)
what user traffic ? and what IP address user got ?
is this worked before ? or after enable ip arp inspection not working it was not clear here.
All the ports having issue only VLAN 116 and 301 having issue ?
Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snoo
ping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the bridge-domains and on the router. If the ARP packet is received on a trusted interface, the router forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.
you also have configured - ip verify source in each later 2 interface - is this requirement ?
Enables IP source guard with source IP address filtering.
(Optional) mac-checkāEnables IP Source Guard with source IP address and MAC address filtering.
ā03-21-2024 06:47 PM
I just reapplied the "ip dhcp snooping vlan 116,301" (user vlans) and "IP arp inspection vlan 116,301". It has shutdown all the ports on the switch even the trunk port to the switch.
Yes the "IP verify source" is required also.
ā03-21-2024 08:02 PM - edited ā03-21-2024 08:04 PM
Hello,
Just to make sure how DHCP snooping and Dynamic ARP Inspection work here is a little information:
Dynamic ARP inspection works off the premise of looking up in a database on the switch (either created dynamically or statically with ARP ACLs) to see if certain parameters match, in this case its IP/MAC mapping in an ARP packet.
When a PC sends an ARP request with its IP to MAC mapping the switch checks this database to see if that IP/MAC pair from that interface is valid. This can only work if there is a database to check. Most users opt for the automatic method of employing DHCP Snooping. When a device requests an IP from a DHCP server and gets a response back the switch adds this IP/MAC pair to its IP DHCP snooping table which the DAI refers to.
Also BOTH DHCP Snooping and ARP Inspection utilize what's called trusted/untrusted ports. When you enable these features ALL ports become untrusted and you need to go into the ports specifically to tell them to be trusted.
For DHCP Snooping Trusted means - DHCP Server messages are allowed through
For Dynamic ARP inspection Trusted means - don't check it against the Snooping database
In both instances this is usually applied to trunk ports and upstream interfaces connected to aother network devices (switches, routers, etc)
ip dhcp snooping trust
ip arp inspection trust
I did not see these applied to your trunk interface.
A few notes about operation:
1. DHCP snooping uses two commands to utilize it
ip dhcp snooping <- turns ON DHCP snooping (I didnt see this command in your output)
ip dhcp snooping vlan 116,301 -< This enables it for the selected VLANs (I did see this in your output but won't work unless its turned on with the above command)
2. Dynamic ARP Inspection doesn't need to be "turned on" like DHCP Snooping does so your entry of ip arp inspection vlan 116,301 looks fine.
Can you implement my suggestions (then re-send the config for us to check)
Then clear ports of any port security errors and have a PC go through the process of gettign a DHCP address. Then test to see if that fixes your issue.
-David
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide