Dynamic ARP Inspection (with D2)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-11-2014 09:43 PM
Hi,
I want to configure Dynamic ARP Inspection with a D2 device (Firmware 6.03.11.0004). I configured DHCP Snooping for the Client VLAN (10) with the corresponding trusted and untrusted ports and with "show dhcpsnooping bindings" I see the data.
I also configured DAI with
set arpinspection vlan 10 logging
set arpinspection trust port enable
Unfortunately I can run a successful ARP Attac for Man-in-the-middle from a Client (untrusted) port. Which results in a poisoned ARP table. No logging happend.
If i run "set arpinspection vlan 10" I get: "Failed to configure DAI on the vlan range".
Does anybody have a clue?
Best Regards
Michael
I want to configure Dynamic ARP Inspection with a D2 device (Firmware 6.03.11.0004). I configured DHCP Snooping for the Client VLAN (10) with the corresponding trusted and untrusted ports and with "show dhcpsnooping bindings" I see the data.
I also configured DAI with
set arpinspection vlan 10 logging
set arpinspection trust port enable
Unfortunately I can run a successful ARP Attac for Man-in-the-middle from a Client (untrusted) port. Which results in a poisoned ARP table. No logging happend.
If i run "set arpinspection vlan 10" I get: "Failed to configure DAI on the vlan range".
Does anybody have a clue?
Best Regards
Michael
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-12-2014 11:12 AM
Same behavior with Firmware 06.03.13.0001
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-12-2014 11:12 AM
Please note that arpinspection commands are needed in order to get thel logs.
My example is pasted below
#arpinspection
set arpinspection vlan 188-189
set arpinspection trust port ge.1.5 enable
My example is pasted below
#arpinspection
set arpinspection vlan 188-189
set arpinspection trust port ge.1.5 enable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-12-2014 11:12 AM
Lets take a look in the lab
D2G124-12P-188-56(su)->show config dhcpsnooping
#dhcpsnooping
set dhcpsnooping enable
set dhcpsnooping vlan 188-189 enable
set dhcpsnooping trust port ge.1.5 enable
!
set arpinspection vlan 188-189
<164>Mar 27 12:31:26 10.58.188.56-1 DAI[87298272]: dai_util.c(590) 5538 % DAI dropped ARP frame rcvd on i/f ge.1.5 in vlan 189, due to - DHCP SNOOP DB MATCH FAILURE
<164>Mar 27 12:31:27 10.58.188.56-1 DAI[87298272]: dai_util.c(590) 5539 % DAI dropped ARP frame rcvd on i/f ge.1.5 in vlan 189, due to - DHCP SNOOP DB MATCH FAILURE
set arpinspection trust port ge.1.5 enable
Messages stopped
Here is my logging
#logging
set logging default severity 8
set logging local console enable file enable
Also
set logging default severity 7
set arpinspection trust port ge.1.5 disable
<164>Mar 27 12:31:26 10.58.188.56-1 DAI[87298272]: dai_util.c(590) 5538 % DAI dropped ARP frame rcvd on i/f ge.1.5 in vlan 189, due to - DHCP SNOOP DB MATCH FAILURE
set arpinspection trust port ge.1.5 enable
Messages stopped
I would suggest verifying that you get messages before testing with traffic
If this is sufficient please let us know
If more work is needed then I suggest opening a Case with the GTAC(I would be happy to be the co-owner of the case)
Thanks
Jason Parker
D2G124-12P-188-56(su)->show config dhcpsnooping
#dhcpsnooping
set dhcpsnooping enable
set dhcpsnooping vlan 188-189 enable
set dhcpsnooping trust port ge.1.5 enable
!
set arpinspection vlan 188-189
<164>Mar 27 12:31:26 10.58.188.56-1 DAI[87298272]: dai_util.c(590) 5538 % DAI dropped ARP frame rcvd on i/f ge.1.5 in vlan 189, due to - DHCP SNOOP DB MATCH FAILURE
<164>Mar 27 12:31:27 10.58.188.56-1 DAI[87298272]: dai_util.c(590) 5539 % DAI dropped ARP frame rcvd on i/f ge.1.5 in vlan 189, due to - DHCP SNOOP DB MATCH FAILURE
set arpinspection trust port ge.1.5 enable
Messages stopped
Here is my logging
#logging
set logging default severity 8
set logging local console enable file enable
Also
set logging default severity 7
set arpinspection trust port ge.1.5 disable
<164>Mar 27 12:31:26 10.58.188.56-1 DAI[87298272]: dai_util.c(590) 5538 % DAI dropped ARP frame rcvd on i/f ge.1.5 in vlan 189, due to - DHCP SNOOP DB MATCH FAILURE
set arpinspection trust port ge.1.5 enable
Messages stopped
I would suggest verifying that you get messages before testing with traffic
If this is sufficient please let us know
If more work is needed then I suggest opening a Case with the GTAC(I would be happy to be the co-owner of the case)
Thanks
Jason Parker
