11-12-2024 01:36 AM
Hi everyone,
We have a WLC connected to the CORE switch directly and I'm just wondering if it's required to configure DAI on the CORE switch, since all the users' traffic is tunneled to the WLC, I tried to check that in the configurations best practice and I didn't find anything related to DAI.
You may tell that I should look in the switching sections, however, in the case of a wireless network, what can I do?
I don't know if it's relevant to know at this point since my question is design related, but the WLC we are using is a 9800-L version
I tried to enable it for all segments using DHCP (including Access points), the whole network went down, no vlan could obtain an IT address. Disabled it entirely but nothing was working. I had to reboot the core switch to get everything back and didn't touch it since that. I'm wondering now if it's recommended to have it enabled in the Core switch or DHCP Snooping is enough from a design point of view.
PS: we already have DHCP snooping enabled in the core switch.
11-12-2024 03:38 AM
Seems to me the investigatation must be related to the Core not the WLC. Which device to you use for core and which IOS and version?
DAI is a security feature and should be a best practice, not a requirement. DAI protect against man-in-the-middle attack, as you probably knows. Considering the traffic from clients to WLC is encrypted, the only traffic that could be exployted would be between your WLC and the Core, which is direct connect.
Now, it should not crash the network or the core by enabling a security feature.
11-12-2024 03:53 AM
Thank you for your reply,
I mean by the whole network went down, no client was receiving IP from the DHCP, the uplink towards it was trusted obviously.
Disabling DAI didn't fix the issue, I had to reboot the Core switch so the clients can acquire IPs again in all the vlans where DAI was enabled.
My question now is related more about the design. Is it recommended to use DAI in the Core switch or not. If yes then I should enable it for the all vlans in the core layer.
The core is a Catalyst 9500, version 17.12.4
11-12-2024 07:33 AM
From design stand point I dont see a good reason to enable DAI on the Core as the traffic from clients gets to the WLC encrypted and go direct to the core.
But, it does not mean you can not enable it. The reason why the core crashed is something that need to investigate.
11-12-2024 03:48 AM - edited 11-12-2024 03:49 AM
how did you handle static IP address when you enabled DAI ?
for these addresses DAI has no trusted IP-to-MAC mapping information for validating ARP packets, this can causes DAI to treat valid ARP packets from untrusted interfaces as potentially malicious causing disruption, unless you did something to handle it like may be ARP ACLs, or set required ports as trusted, if you did not, it potentially cause your network issue.
11-12-2024 03:51 AM
Dhcp snooping is enable that good you can run DAI then
DHCP snooping not protect network from all l2 attack you need also DAI
MHM
11-12-2024 03:55 AM
Is it common to use it at the Core layer from a design perspective ?
11-12-2024 04:03 AM
DAI is usually run in Access SW (closet SW to endpoint) but here it different, the endpoint use WLC and WLC connect to Core SW
and you run DHCP snooping in Core so DAI can use DHCP snooping database to inspect IP-MAC for ARP.
MHM
11-17-2024 10:40 AM
@TrickTrick your problem might stem from the fact that 9800 proxies ARP for wireless clients?
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#AddressResolutionProtocolARPproxy
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_arp_proxy.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide