cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
119
Views
1
Helpful
0
Replies

IP Verify Source didn't stop traffic without DHCP Snooping?

Jaydub718
Level 1
Level 1

Good afternoon everyone,

Came across a curiosity as I was doing some network hardening for my campus network. I started blanketing access switch interfaces, spread across many vlans, with a configuration that included "ip verify source"

~~

ex.

interface GigabitEthernet1/0/23Switching

 switchport access vlan 1000

 switchport mode access

 switchport block unicast

 switchport port-security maximum 2

 switchport port-security

 ip arp inspection limit rate 20 burst interval 2

 authentication event fail action next-method

 authentication host-mode multi-host

 authentication order mab dot1x

 authentication priority dot1x mab

 authentication port-control auto

 authentication periodic

 authentication timer inactivity 3600

 authentication violation restrict

 mab

 no snmp trap link-status

 dot1x pae authenticator

 storm-control broadcast level bps 20m

 spanning-tree portfast

 spanning-tree bpduguard enable

 ip verify source

~~

Immediately, no problems were observed. Then, after that, I started rolling out DHCP snooping across those very same VLANs to be followed up with DAI. And that's where I started questioning myself.

 

DHCP Snooping was enabled globally, but not for any specific VLAN when I configured IP Source Guard. This made me think, shouldn't IPSG have blocked all traffic on those interfaces without a DHCP snooping binding table to reference, right when I configured it? Because it did not.

 

Secondly, I have a question about DAI.

 

DAI, in fact, did block traffic as designed. So, my question is, how do you guys implement DAI in an environment with (authorized) mobile laptops and communal LAN ports across many different switches? If I implement DAI on a vlan on a switch, it blocks all traffic from a new device that connects (to that switch) that did not have a pre-existing mapping in the DHCP snooping Binding table, including DORA traffic. Thus, DHCP Snooping is never given the opportunity to build the entry with the remote DHCP server.

 

This effectively makes DAI the enemy of mobility in dynamic environments, does it not?

0 Replies 0
Review Cisco Networking for a $25 gift card