Issues with Dynamic ARP Inspection

[mixthoor]

I saw a great article on the Mr. McNamara's blog: https://blog.michaelfmcnamara.com/2013/01/dhcp-snooping-arp-inspection-ip-source-guard/

I've got a problem with my customer network. I have the plotter with static IPv4. The Port was configured as ARP-INSPECTION UNTRUSTED. With this configuration, I am unable to reach the plotter with ICMPv4 or HTTP. When I set the port as ARP-INSPECTION TRUSTED, I am able to reach my device.

My questions are:

Dynamic ARP Inspection relies on the information stored in the DHCP binding table (from DHCP Snooping) to validate the ARP packets it receives on untrusted ports.

How can I see this table? I've got only this:

Code: [Select]

#sh ip dhcp-snooping binding summary
Learned Entries: 57
Static Entries: 0
Total Entries: 57

Any device whether it be statically configured or dynamically configured would need to appear in the DHCP binding table.

How can I add the devices to this table?

If you have a statically configured device you’ll need to manually populate the DHCP snooping table.

OK, how?

This is another great reason to use manual or reserved DHCP assignments where possible if the device requires a persistent IP address.

I said that already mine customer. I will check the DHCP pool with bindings myself.

This feature will likely create some significant administrative overhead based on the number of devices configured with a static IP address over the number of DHCP configured devices.

Yeah, exactly :/

[pat2012]

Good day mixthoor.

Firstly, you should include the switch model and code release version.

For the ERS 4000s, release 5.6, the command to view the binding table is:
show ip dhcp-snooping binding

To add a device to the binding table:
ip dhcp-snooping binding <1-4094> <MAC_addr> [ip <IP_addr>][port <LINE>] [expiry <1-4294967295>]

where
<1-4094> Specifies the ID of the VLAN that the DHCP client is a member of.
expiry <1-4294967295> Specifies the time, in seconds, before the DHCP client binding expires.
ip <IP_addr> Specifies the IP address of the DHCP client.
<MAC_addr> Specifies the MAC address of the DHCP client.
port <LINE> Specifies the switch port that the DHCP client is connected to.

To delete just use "no" in front of the command used to add.

For more information you can check this document:
Configuration — Security Avaya Ethernet Routing Switch 4000 Series
NN47205-505, 08.01

[mixthoor]

Hi,

Code: [Select]

sysDescr:              Ethernet Routing Switch 4548GT-PWR
                       HW:05       FW:5.3.0.3   SW:v5.6.3.025
                       Mfg Date:20090823    HW Dev:
Serial #:              LBNNTMMD17040H
Operational Software:  FW:5.3.0.3   SW:v5.6.3.025
Installed software:    FW:5.3.0.3   SW:v5.6.3.025
I see these commands. I will try it and read this sec config guide. Thx a lot!

[pat2012]

You're welcome!