Today, We will understand the ARP inspection that how can it impact non DHCP hosts.
We are having R1,R3 and R5 are all on VLAN100, connected to switch SW1:
- R1 – Static host
- R3 – DHCP Server
- R5 – DHCP client
This scenario shows how DAI works with DHCP snooping to block ARP requests from untrusted ports and how NON-DHCP clients can still be apart of the network.
SW1 has ARP Inspection and DHCP snooping enabled already, with trust enabled on the port connected to R3.
SW1#sh run | inc snoop|arp
ip dhcp snooping vlan 100
ip dhcp snooping
ip arp inspection vlan 100
ip dhcp snooping trust
R5 gets an IP address from R3 which is an DHCP server and now we can see following entry on SW1:
SW1#sho ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ ----------- ---------- ------------- ---- ---------------
00:00:00:00:00:05 192.168.0.5 86381 dhcp-snooping 100 FastEthernet0/5
Total number of bindings: 1
We tried to ping R1from R5 but getting RTO:
R5#ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
*Jan 7 09:36:20.361: IP: tableid=0, s=192.168.0.5 (local), d=192.168.0.1
(Ethernet0/0), routed via RIB
*Jan 7 09:36:20.361: IP: s=192.168.0.5 (local), d=192.168.0.1 (Ethernet0/0),
len 100, sending
*Jan 7 09:36:20.361: ICMP type=8, code=0
*Jan 7 09:36:20.361: IP ARP: creating incomplete entry for IP address:
192.168.0.1 interface Ethernet0/0
*Jan 7 09:36:20.361: IP ARP: sent req src 192.168.0.5 0000.0000.0005,
dst 192.168.0.1 0000.0000.0000 Ethernet0/0
Checking debug messages on SW1:
SW1#debug arp
07:43:49: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1, vlan 100.
([0000.0000.0001/192.168.0.1/0000.0000.0005/192.168.0.5/07:43:49 UTC Mon Mar 1 1993])
Actually, SW1 is not allowing the ARP reply from R1 because the port is untrusted in the arp inspection configuration and R1’s address is not in the DHCP snooping database. We can see the request make it on R1:
R1#
*Mar 2 00:31:09.685: IP ARP: rcvd req src 192.168.0.5 0000.0000.0005,
dst 192.168.0.1 Ethernet0/0
*Mar 2 00:31:09.685: IP ARP: sent rep src 192.168.0.1 0000.0000.0001,
dst 192.168.0.5 0000.0000.0005 Ethernet0/0
But R5 never gets the reply. For NON-DHCP hosts we can create an ARP ACL and apply it to the DAI configuration as below:
SW1(config)#arp access-list ARP-TEST
SW1(config-arp-nacl)#permit ip host 192.168.0.1 ?
mac Sender MAC address
SW1(config-arp-nacl)#permit ip host 192.168.0.1 mac ?
H.H.H Sender MAC address
any Any MAC address
host Single Sender host
SW1(config-arp-nacl)#permit ip host 192.168.0.1 mac host 0000.0000.0001
SW1(config-arp-nacl)#exit
SW1(config)#ip arp inspection filter ARP-TEST vlan 100
Now let's ping:
R5#ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/9/12 ms
R5#
There is another option for the DAI filter and that is “static”
SW1(config)#ip arp inspection filter ARP-TEST vlan 100 ?
static Apply the ACL statically
If we applied this argument to the command, DAI would only check the ARP ACL and not fallback to the DHCP snooping database. That would prevent R5 ARPs from being allowed:-
SW1(config)#ip arp inspection filter ARP-TEST vlan 100 static
R5#ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#
Checking debug messages on SW1:
SW1#
07:52:53: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/5, vlan 100.
([0000.0000.0005/192.168.0.5/0000.0000.0000/192.168.0.1/07:52:53 UTC Mon Mar 1 1993])
Requests are being denied inbound on f0/5 now.
Thanks for reading the blog ……