Good afternoon everyone,
Came across a curiosity as I was doing some network hardening for my campus network. I started blanketing access switch interfaces, spread across many vlans, with a configuration that included "ip verify source"
~~
ex.
interface GigabitEthernet1/0/23Switching
switchport access vlan 1000
switchport mode access
switchport block unicast
switchport port-security maximum 2
switchport port-security
ip arp inspection limit rate 20 burst interval 2
authentication event fail action next-method
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer inactivity 3600
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
storm-control broadcast level bps 20m
spanning-tree portfast
spanning-tree bpduguard enable
ip verify source
~~
Immediately, no problems were observed. Then, after that, I started rolling out DHCP snooping across those very same VLANs to be followed up with DAI. And that's where I started questioning myself.
DHCP Snooping was enabled globally, but not for any specific VLAN when I configured IP Source Guard. This made me think, shouldn't IPSG have blocked all traffic on those interfaces without a DHCP snooping binding table to reference, right when I configured it? Because it did not.
Secondly, I have a question about DAI.
DAI, in fact, did block traffic as designed. So, my question is, how do you guys implement DAI in an environment with (authorized) mobile laptops and communal LAN ports across many different switches? If I implement DAI on a vlan on a switch, it blocks all traffic from a new device that connects (to that switch) that did not have a pre-existing mapping in the DHCP snooping Binding table, including DORA traffic. Thus, DHCP Snooping is never given the opportunity to build the entry with the remote DHCP server.
This effectively makes DAI the enemy of mobility in dynamic environments, does it not?