Dynamic ARP Inspection (with D2)

  • 0
  • 1
  • Question
  • Updated 4 years ago
  • Answered
Hi,

I want to configure Dynamic ARP Inspection with a D2 device (Firmware 6.03.11.0004). I configured DHCP Snooping for the Client VLAN (10) with the corresponding trusted and untrusted ports and with "show dhcpsnooping bindings" I see the data.

I also configured DAI with
set arpinspection vlan 10 logging
set arpinspection trust port <UPLINK> enable

Unfortunately I can run a successful ARP Attac for Man-in-the-middle from a Client (untrusted) port. Which results in a poisoned ARP table. No logging happend.

If i run "set arpinspection vlan 10" I get: "Failed to configure DAI on the vlan range".

Does anybody have a clue?

Best Regards
Michael

Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb
Same behavior with Firmware 06.03.13.0001

Photo of Jason Parker

Jason Parker, Employee

  • 2,918 Points 2k badge 2x thumb
Lets take a look in the lab

D2G124-12P-188-56(su)->show config dhcpsnooping

#dhcpsnooping
set dhcpsnooping enable
set dhcpsnooping vlan 188-189 enable
set dhcpsnooping trust port ge.1.5 enable
!

set arpinspection vlan 188-189
<164>Mar 27 12:31:26     10.58.188.56-1 DAI[87298272]: dai_util.c(590) 5538 % DAI dropped ARP frame rcvd on i/f ge.1.5 in vlan 189, due to - DHCP SNOOP DB MATCH FAILURE
<164>Mar 27 12:31:27     10.58.188.56-1 DAI[87298272]: dai_util.c(590) 5539 % DAI dropped ARP frame rcvd on i/f ge.1.5 in vlan 189, due to - DHCP SNOOP DB MATCH FAILURE

set arpinspection trust  port ge.1.5 enable

Messages stopped

Here is my logging
#logging
set logging default severity 8
set logging local console enable file enable
Also
set logging default severity 7
set arpinspection trust  port ge.1.5 disable


<164>Mar 27 12:31:26     10.58.188.56-1 DAI[87298272]: dai_util.c(590) 5538 % DAI dropped ARP frame rcvd on i/f ge.1.5 in vlan 189, due to - DHCP SNOOP DB MATCH FAILURE

set arpinspection trust  port ge.1.5 enable
Messages stopped

I would suggest  verifying that you get messages before testing with traffic

If this is sufficient please let us know

If more work is needed then I suggest opening a Case with the GTAC(I would be happy to be the co-owner of the case)

Thanks
Jason Parker












Photo of Jason Parker

Jason Parker, Employee

  • 2,918 Points 2k badge 2x thumb
Please note that arpinspection commands are needed in order to get thel logs.
My example is pasted below

#arpinspection
set arpinspection vlan 188-189
set arpinspection trust port ge.1.5 enable