This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Dynamic ARP Inspection (with D2)

Dynamic ARP Inspection (with D2)

Michael_Kirchne
Contributor

‎02-11-2014 09:43 PM

Hi,

I want to configure Dynamic ARP Inspection with a D2 device (Firmware 6.03.11.0004). I configured DHCP Snooping for the Client VLAN (10) with the corresponding trusted and untrusted ports and with "show dhcpsnooping bindings" I see the data.

I also configured DAI with
set arpinspection vlan 10 logging
set arpinspection trust port enable

Unfortunately I can run a successful ARP Attac for Man-in-the-middle from a Client (untrusted) port. Which results in a poisoned ARP table. No logging happend.

If i run "set arpinspection vlan 10" I get: "Failed to configure DAI on the vlan range".

Does anybody have a clue?

Best Regards
Michael
0 Kudos
3 REPLIES 3

Michael_Kirchne
Contributor

‎02-12-2014 11:12 AM

Same behavior with Firmware 06.03.13.0001

0 Kudos

Jason_Parker
Contributor
In response to Michael_Kirchne

‎02-12-2014 11:12 AM

Please note that arpinspection commands are needed in order to get thel logs.
My example is pasted below

#arpinspection
set arpinspection vlan 188-189
set arpinspection trust port ge.1.5 enable

0 Kudos

Jason_Parker
Contributor
In response to Michael_Kirchne

‎02-12-2014 11:12 AM

Lets take a look in the lab

D2G124-12P-188-56(su)->show config dhcpsnooping

#dhcpsnooping
set dhcpsnooping enable
set dhcpsnooping vlan 188-189 enable
set dhcpsnooping trust port ge.1.5 enable
!

set arpinspection vlan 188-189
<164>Mar 27 12:31:26 10.58.188.56-1 DAI[87298272]: dai_util.c(590) 5538 % DAI dropped ARP frame rcvd on i/f ge.1.5 in vlan 189, due to - DHCP SNOOP DB MATCH FAILURE
<164>Mar 27 12:31:27 10.58.188.56-1 DAI[87298272]: dai_util.c(590) 5539 % DAI dropped ARP frame rcvd on i/f ge.1.5 in vlan 189, due to - DHCP SNOOP DB MATCH FAILURE

set arpinspection trust port ge.1.5 enable

Messages stopped

Here is my logging
#logging
set logging default severity 8
set logging local console enable file enable
Also
set logging default severity 7
set arpinspection trust port ge.1.5 disable

<164>Mar 27 12:31:26 10.58.188.56-1 DAI[87298272]: dai_util.c(590) 5538 % DAI dropped ARP frame rcvd on i/f ge.1.5 in vlan 189, due to - DHCP SNOOP DB MATCH FAILURE

set arpinspection trust port ge.1.5 enable
Messages stopped

I would suggest verifying that you get messages before testing with traffic

If this is sufficient please let us know

If more work is needed then I suggest opening a Case with the GTAC(I would be happy to be the co-owner of the case)

Thanks
Jason Parker

0 Kudos
GTM-P2G8KFN