cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
251
Views
5
Helpful
8
Replies

ARP Inspection in a centrally switched wireless design

TrickTrick
Level 3
Level 3

Hi everyone,

We have a WLC connected to the CORE switch directly and I'm just wondering if it's required to configure DAI on the CORE switch, since all the users' traffic is tunneled to the WLC, I tried to check that in the configurations best practice and I didn't find anything related to DAI.
You may tell that I should look in the switching sections, however, in the case of a wireless network, what can I do?

I don't know if it's relevant to know at this point since my question is design related, but the WLC we are using is a 9800-L version  

17.12.3 (recommended)

I tried to enable it for all segments using DHCP (including Access points), the whole network went down, no vlan could obtain an IT address. Disabled it entirely but nothing was working. I had to reboot the core switch to get everything back and didn't touch it since that. I'm wondering now if it's recommended to have it enabled in the Core switch or DHCP Snooping is enough from a design point of view.

PS: we already have DHCP snooping enabled in the core switch.

 

8 Replies 8

@TrickTrick 

 Seems to me the investigatation must be related to the Core not the WLC. Which device to you use for core  and which IOS and version?

DAI is a security feature and should be a best practice, not a requirement. DAI protect against man-in-the-middle attack, as you probably knows. Considering the traffic from clients to WLC is encrypted, the only traffic that could be exployted would be between your WLC and the Core, which is direct connect.

 Now, it should not crash the network or the core by enabling a security feature.

Thank you for your reply,
I mean by the whole network went down, no client was receiving IP from the DHCP, the uplink towards it was trusted obviously.

Disabling DAI didn't fix the issue, I had to reboot the Core switch so the clients can acquire IPs again in all the vlans where DAI was enabled.

My question now is related more about the design. Is it recommended to use DAI in the Core switch or not. If yes then I should enable it for the all vlans in the core layer.

The core is a Catalyst 9500, version 17.12.4

From design stand point I dont see a good reason to enable DAI on the Core as the traffic from clients gets to the WLC encrypted and go direct to the core.

 But, it does not mean you can not enable it. The reason why the core crashed is something that need to investigate.

ammahend
VIP
VIP

how did you handle static IP address when you enabled DAI ?

for these addresses DAI has no trusted IP-to-MAC mapping information for validating ARP packets, this can causes DAI to treat valid ARP packets from untrusted interfaces as potentially malicious causing disruption, unless you did something to handle it like may be ARP ACLs, or set required ports as trusted,  if you did not, it potentially cause your network issue.

-hope this helps-

Dhcp snooping is enable that good you can run DAI then 

DHCP snooping not protect network from all l2 attack you need also DAI 

MHM

Is it common to use it at the Core layer from a design perspective ?

DAI is usually run in Access SW (closet SW to endpoint) but here it different, the endpoint use WLC and WLC connect to Core SW 
and you run DHCP snooping in Core so DAI can use DHCP snooping database to inspect IP-MAC for ARP.

MHM

Rich R
VIP
VIP

@TrickTrick your problem might stem from the fact that 9800 proxies ARP for wireless clients?
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#AddressResolutionProtocolARPproxy
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_arp_proxy.html

Review Cisco Networking for a $25 gift card