• February 24, 2018, 01:24:39 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Issues with Dynamic ARP Inspection  (Read 1315 times)

0 Members and 1 Guest are viewing this topic.

Offline mixthoor

  • Full Member
  • ***
  • Posts: 53
Issues with Dynamic ARP Inspection
« on: March 22, 2016, 04:40:54 AM »
I saw a great article on the Mr. McNamara's blog: https://blog.michaelfmcnamara.com/2013/01/dhcp-snooping-arp-inspection-ip-source-guard/

I've got a problem with my customer network. I have the plotter with static IPv4. The Port was configured as ARP-INSPECTION UNTRUSTED. With this configuration, I am unable to reach the plotter with ICMPv4 or HTTP. When I set the port as ARP-INSPECTION TRUSTED, I am able to reach my device.

My questions are:
Quote
Dynamic ARP Inspection relies on the information stored in the DHCP binding table (from DHCP Snooping) to validate the ARP packets it receives on untrusted ports.
How can I see this table? I've got only this:
Code: [Select]
#sh ip dhcp-snooping binding summary
Learned Entries: 57
Static Entries: 0
Total Entries: 57


Quote
Any device whether it be statically configured or dynamically configured would need to appear in the DHCP binding table.
How can I add the devices to this table?

Quote
If you have a statically configured device you’ll need to manually populate the DHCP snooping table.
OK, how?

Quote
This is another great reason to use manual or reserved DHCP assignments where possible if the device requires a persistent IP address.
I said that already mine customer. I will check the DHCP pool with bindings myself.

Quote
This feature will likely create some significant administrative overhead based on the number of devices configured with a static IP address over the number of DHCP configured devices.
Yeah, exactly :/
ACE-Fx I #00531


Offline pat2012

  • Sr. Member
  • ****
  • Posts: 141
Re: Issues with Dynamic ARP Inspection
« Reply #1 on: March 22, 2016, 10:43:19 AM »
Good day mixthoor.

Firstly, you should include the switch model and code release version.

For the ERS 4000s, release 5.6, the command to view the binding table is:
show ip dhcp-snooping binding

To add a device to the binding table:
ip dhcp-snooping binding <1-4094> <MAC_addr> [ip <IP_addr>][port <LINE>] [expiry <1-4294967295>]

where
<1-4094> Specifies the ID of the VLAN that the DHCP client is a member of.
expiry <1-4294967295> Specifies the time, in seconds, before the DHCP client binding expires.
ip <IP_addr> Specifies the IP address of the DHCP client.
<MAC_addr> Specifies the MAC address of the DHCP client.
port <LINE> Specifies the switch port that the DHCP client is connected to.

To delete just use "no" in front of the command used to add.

For more information you can check this document:
Configuration — Security Avaya Ethernet Routing Switch 4000 Series
NN47205-505, 08.01

Offline mixthoor

  • Full Member
  • ***
  • Posts: 53
Re: Issues with Dynamic ARP Inspection
« Reply #2 on: March 22, 2016, 12:19:35 PM »
Hi,

Code: [Select]
sysDescr:              Ethernet Routing Switch 4548GT-PWR
                       HW:05       FW:5.3.0.3   SW:v5.6.3.025
                       Mfg Date:20090823    HW Dev:
Serial #:              LBNNTMMD17040H
Operational Software:  FW:5.3.0.3   SW:v5.6.3.025
Installed software:    FW:5.3.0.3   SW:v5.6.3.025

I see these commands. I will try it and read this sec config guide. Thx a lot! :)
ACE-Fx I #00531

Offline pat2012

  • Sr. Member
  • ****
  • Posts: 141
Re: Issues with Dynamic ARP Inspection
« Reply #3 on: March 22, 2016, 12:21:49 PM »
You're welcome!

 :)