topic RE: Dynamic ARP Inspection (with D2) in ExtremeSwitching (Other)

Dynamic ARP Inspection (with D2)

Michael_Kirchne — Wed, 12 Feb 2014 05:43:00 GMT

Hi,

I want to configure Dynamic ARP Inspection with a D2 device (Firmware 6.03.11.0004). I configured DHCP Snooping for the Client VLAN (10) with the corresponding trusted and untrusted ports and with "show dhcpsnooping bindings" I see the data.

I also configured DAI with
set arpinspection vlan 10 logging
set arpinspection trust port enable

Unfortunately I can run a successful ARP Attac for Man-in-the-middle from a Client (untrusted) port. Which results in a poisoned ARP table. No logging happend.

If i run "set arpinspection vlan 10" I get: "Failed to configure DAI on the vlan range".

Does anybody have a clue?

Best Regards
Michael

RE: Dynamic ARP Inspection (with D2)

Michael_Kirchne — Wed, 12 Feb 2014 19:12:00 GMT

Same behavior with Firmware 06.03.13.0001

RE: Dynamic ARP Inspection (with D2)

Jason_Parker — Wed, 12 Feb 2014 19:12:00 GMT

Lets take a look in the lab

D2G124-12P-188-56(su)->show config dhcpsnooping

#dhcpsnooping
set dhcpsnooping enable
set dhcpsnooping vlan 188-189 enable
set dhcpsnooping trust port ge.1.5 enable
!

set arpinspection vlan 188-189
<164>Mar 27 12:31:26 10.58.188.56-1 DAI[87298272]: dai_util.c(590) 5538 % DAI dropped ARP frame rcvd on i/f ge.1.5 in vlan 189, due to - DHCP SNOOP DB MATCH FAILURE
<164>Mar 27 12:31:27 10.58.188.56-1 DAI[87298272]: dai_util.c(590) 5539 % DAI dropped ARP frame rcvd on i/f ge.1.5 in vlan 189, due to - DHCP SNOOP DB MATCH FAILURE

set arpinspection trust port ge.1.5 enable

Messages stopped

Here is my logging
#logging
set logging default severity 8
set logging local console enable file enable
Also
set logging default severity 7
set arpinspection trust port ge.1.5 disable

<164>Mar 27 12:31:26 10.58.188.56-1 DAI[87298272]: dai_util.c(590) 5538 % DAI dropped ARP frame rcvd on i/f ge.1.5 in vlan 189, due to - DHCP SNOOP DB MATCH FAILURE

set arpinspection trust port ge.1.5 enable
Messages stopped

I would suggest verifying that you get messages before testing with traffic

If this is sufficient please let us know

If more work is needed then I suggest opening a Case with the GTAC(I would be happy to be the co-owner of the case)

Thanks
Jason Parker

RE: Dynamic ARP Inspection (with D2)

Jason_Parker — Wed, 12 Feb 2014 19:12:00 GMT

Please note that arpinspection commands are needed in order to get thel logs.
My example is pasted below

#arpinspection
set arpinspection vlan 188-189
set arpinspection trust port ge.1.5 enable