Networking

Dynamic ARP Inspection with NON-DHCP hosts

· >

Today, We will understand the ARP inspection that how can it impact non DHCP hosts.

We are having R1,R3 and R5 are all on VLAN100, connected to switch SW1:

  • R1 – Static host
  • R3 – DHCP Server
  • R5 – DHCP client

This scenario shows how DAI works with DHCP snooping to block ARP requests from untrusted ports and how NON-DHCP clients can still be apart of the network.

SW1 has ARP Inspection and DHCP snooping enabled already, with trust enabled on the port connected to R3.

SW1#sh run | inc snoop|arp
ip dhcp snooping vlan 100
ip dhcp snooping
ip arp inspection vlan 100
ip dhcp snooping trust

R5 gets an IP address from R3 which is an DHCP server and now we can see following entry on SW1:

SW1#sho ip dhcp snooping binding 
MacAddress         IpAddress   Lease(sec) Type           VLAN  Interface
------------------ ----------- ---------- -------------  ----  ---------------
00:00:00:00:00:05  192.168.0.5 86381      dhcp-snooping  100   FastEthernet0/5
Total number of bindings: 1

We tried to ping R1from R5 but getting RTO:

R5#ping 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

*Jan  7 09:36:20.361: IP: tableid=0, s=192.168.0.5 (local), d=192.168.0.1
            (Ethernet0/0), routed via RIB
*Jan  7 09:36:20.361: IP: s=192.168.0.5 (local), d=192.168.0.1 (Ethernet0/0),
             len 100, sending
*Jan  7 09:36:20.361:     ICMP type=8, code=0
*Jan  7 09:36:20.361: IP ARP: creating incomplete entry for IP address:
             192.168.0.1 interface Ethernet0/0
*Jan  7 09:36:20.361: IP ARP: sent req src 192.168.0.5 0000.0000.0005,
                 dst 192.168.0.1 0000.0000.0000 Ethernet0/0

Checking debug messages on SW1:

SW1#debug arp 
07:43:49: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1, vlan 100.
([0000.0000.0001/192.168.0.1/0000.0000.0005/192.168.0.5/07:43:49 UTC Mon Mar 1 1993])

Actually, SW1 is not allowing the ARP reply from R1 because the port is untrusted in the arp inspection configuration and R1’s address is not in the DHCP snooping database. We can see the request make it on R1:

R1#
*Mar  2 00:31:09.685: IP ARP: rcvd req src 192.168.0.5 0000.0000.0005,
             dst 192.168.0.1 Ethernet0/0
*Mar  2 00:31:09.685: IP ARP: sent rep src 192.168.0.1 0000.0000.0001,
                 dst 192.168.0.5 0000.0000.0005 Ethernet0/0

But R5 never gets the reply. For NON-DHCP hosts we can create an ARP ACL and apply it to the DAI configuration as below:

SW1(config)#arp access-list ARP-TEST  
SW1(config-arp-nacl)#permit ip host 192.168.0.1 ?
  mac  Sender MAC address
SW1(config-arp-nacl)#permit ip host 192.168.0.1 mac ?
  H.H.H  Sender MAC address
  any    Any MAC address
  host   Single Sender host
SW1(config-arp-nacl)#permit ip host 192.168.0.1 mac host 0000.0000.0001
SW1(config-arp-nacl)#exit
SW1(config)#ip arp inspection filter ARP-TEST vlan 100 

Now let's ping:

R5#ping 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/9/12 ms
R5#

There is another option for the DAI filter and that is “static”

SW1(config)#ip arp inspection filter ARP-TEST vlan 100  ?
  static  Apply the ACL statically

If we applied this argument to the command, DAI would only check the ARP ACL and not fallback to the DHCP snooping database. That would prevent R5 ARPs from being allowed:-

SW1(config)#ip arp inspection filter ARP-TEST vlan 100  static 

R5#ping 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#

Checking debug messages on SW1:

SW1#
07:52:53: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/5, vlan 100.
([0000.0000.0005/192.168.0.5/0000.0000.0000/192.168.0.1/07:52:53 UTC Mon Mar 1 1993])

Requests are being denied inbound on f0/5 now.

Thanks for reading the blog ……

Recommended link:

close

Sign up to receive awesome content in your inbox, every month.

We don’t spam! Read our privacy policy for more info.

Leave a Reply