Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
1
Helpful
4
Replies

ip arp inspection

Go to solution
Jeff Horton
Level 1
Level 1

‎03-21-2024 01:15 PM

My user traffic is being blocked on my switch (Catalyst 9300) due to the IP ARP INSPECTION requirement from DISA STIG requirements. I don't understand why. Can someone enlighten me as to what I am doing wrong?

Labels:
Preview file
22 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Ruess
VIP
VIP

‎03-21-2024 08:02 PM - edited ‎03-21-2024 08:04 PM

Hello,

Just to make sure how DHCP snooping and Dynamic ARP Inspection work here is a little information:

Dynamic ARP inspection works off the premise of looking up in a database on the switch (either created dynamically or statically with ARP ACLs) to see if certain parameters match, in this case its IP/MAC mapping in an ARP packet.

When a PC sends an ARP request with its IP to MAC mapping the switch checks this database to see if that IP/MAC pair from that interface is valid. This can only work if there is a database to check. Most users opt for the automatic method of employing DHCP Snooping. When a device requests an IP from a DHCP server and gets a response back the switch adds this IP/MAC pair to its IP DHCP snooping table which the DAI refers to.

Also BOTH DHCP Snooping and ARP Inspection utilize what's called trusted/untrusted ports. When you enable these features ALL ports become untrusted and you need to go into the ports specifically to tell them to be trusted.

For DHCP Snooping Trusted means - DHCP Server messages are allowed through

For Dynamic ARP inspection Trusted means - don't check it against the Snooping database

In both instances this is usually applied to trunk ports and upstream interfaces connected to aother network devices (switches, routers, etc)

ip dhcp snooping trust

ip arp inspection trust

I did not see these applied to your trunk interface.

 

A few notes about operation:

1. DHCP snooping uses two commands to utilize it

ip dhcp snooping <- turns ON DHCP snooping (I didnt see this command in your output)

ip dhcp snooping vlan 116,301 -< This enables it for the selected VLANs (I did see this in your output but won't work unless its turned on with the above command)

2. Dynamic ARP Inspection doesn't need to be "turned on" like DHCP Snooping does so your entry of ip arp inspection vlan 116,301 looks fine.

 

Can you implement my suggestions (then re-send the config for us to check)

Then clear ports of any port security errors and have a PC go through the process of gettign a DHCP address. Then test to see if that fixes your issue.

 

-David

 

View solution in original post

4 Replies 4

Go to solution
MHM Cisco World
VIP
VIP

‎03-21-2024 03:14 PM

This user is first time connect to SW or it connect before to other port ?

Do

Show ip dhcp snooping binding 

See the entry of user mac in which port' only one or there are multi 

MHM

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-21-2024 03:29 PM 

My user traffic is being blocked on my switch (Catalyst 9300)

what user traffic ? and what IP address user got ?

is this worked before ? or after enable ip arp inspection not working it was not clear here.

All the ports having issue only VLAN 116 and 301 having issue ?

Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snoo

ping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the bridge-domains and on the router. If the ARP packet is received on a trusted interface, the router forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/ipaddr-dhcp/17-1-1/b-dhcp-xe-17-1-asr920/m_configuring_dynamic_arp.html#:~:text=Dynamic%20ARP%20inspection%20determines%20the,domains%20and%20on%20the%20router.

you also have configured - ip verify source in each later 2 interface - is this requirement ?

Enables IP source guard with source IP address filtering.

(Optional) mac-check—Enables IP Source Guard with source IP address and MAC address filtering.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Jeff Horton
Level 1
Level 1

‎03-21-2024 06:47 PM

I just reapplied the "ip dhcp snooping vlan 116,301" (user vlans) and "IP arp inspection vlan 116,301". It has shutdown all the ports on the switch even the trunk port to the switch.

Yes the "IP verify source" is required also.

 

0 Helpful

Go to solution
David Ruess
VIP
VIP

‎03-21-2024 08:02 PM - edited ‎03-21-2024 08:04 PM

Hello,

Just to make sure how DHCP snooping and Dynamic ARP Inspection work here is a little information:

Dynamic ARP inspection works off the premise of looking up in a database on the switch (either created dynamically or statically with ARP ACLs) to see if certain parameters match, in this case its IP/MAC mapping in an ARP packet.

When a PC sends an ARP request with its IP to MAC mapping the switch checks this database to see if that IP/MAC pair from that interface is valid. This can only work if there is a database to check. Most users opt for the automatic method of employing DHCP Snooping. When a device requests an IP from a DHCP server and gets a response back the switch adds this IP/MAC pair to its IP DHCP snooping table which the DAI refers to.

Also BOTH DHCP Snooping and ARP Inspection utilize what's called trusted/untrusted ports. When you enable these features ALL ports become untrusted and you need to go into the ports specifically to tell them to be trusted.

For DHCP Snooping Trusted means - DHCP Server messages are allowed through

For Dynamic ARP inspection Trusted means - don't check it against the Snooping database

In both instances this is usually applied to trunk ports and upstream interfaces connected to aother network devices (switches, routers, etc)

ip dhcp snooping trust

ip arp inspection trust

I did not see these applied to your trunk interface.

 

A few notes about operation:

1. DHCP snooping uses two commands to utilize it

ip dhcp snooping <- turns ON DHCP snooping (I didnt see this command in your output)

ip dhcp snooping vlan 116,301 -< This enables it for the selected VLANs (I did see this in your output but won't work unless its turned on with the above command)

2. Dynamic ARP Inspection doesn't need to be "turned on" like DHCP Snooping does so your entry of ip arp inspection vlan 116,301 looks fine.

 

Can you implement my suggestions (then re-send the config for us to check)

Then clear ports of any port security errors and have a PC go through the process of gettign a DHCP address. Then test to see if that fixes your issue.

 

-David

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card