Jump to content

CCNA Certification/Advanced Switching Topics

Add links
From Wikibooks, open books for an open world

Advanced Switching Topics

[edit | edit source]

IP source guard without DHCP When DHCP snooping is enabled, a switch maintains a database of the DHCP addresses assigned to the hosts connected to each access port. IP source guard references this database when a packet is received on any of these interfaces and compares the source address to the assigned address listed in the database. If the source address differs from the "allowed" address, the packet is assumed to spoofed and is discarded. Assuming DHCP isn't available or in use on a subnet, static IP bindings can be manually configured per access port to achieve the same effect.

Configuration

sw1(config)#ip dhcp snooping

sw1(config)#ip dhcp snooping vlan 146

sw1(config)#interface FastEthernet0/13

switchport access vlan 146

switchport trunk encapsulation dot1q

switchport mode access

ip verify source

sw1(config)#interface FastEthernet0/16

switchport access vlan 146

switchport mode access

ip verify source

sw1(config)#ip source binding 000D.29C0.F180 vlan 146 155.1.0.2 interface Fa0/13

sw1(config)#ip source binding 000D.29E3.AB00 vlan 146 155.1.0.3 interface Fa0/16

sw1(config)#do sh ip source binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

--------------- ---------- ------------- ---- --------------------

0:0D:29:C0:F1:80 155.1.0.2 infinite static 146 FastEthernet0/13

00:0D:29:E3:AB:00 155.1.0.3 infinite static 146 FastEthernet0/16

Total number of bindings: 2

sw1(config)#do sh ip verify source

Interface Filter-type Filter-mode IP-address Mac-address Vlan

----------- ----------- --------------- ----------------- ----------

Fa0/13 ip active 155.1.0.2 146

Fa0/16 ip active 155.1.0.3 146

sw1(config)#

If you don't enable the dhcp snooping on sw1 it will show the following under Filter- mode lists inactive-no-snooping-vlan for any 

                                                   entry.

sw1(config)#no ip dhcp snooping vlan 146

sw1(config)#do sh ip verify source

Interface Filter-type Filter-mode IP-address Mac-address Vlan

----------- ----------- --------------- ----------------- ----------

Fa0/13 ip inactive-no-snooping-vlan

Fa0/16 ip inactive-no-snooping-vlan change the ip address of sw2 to 155.1.0.22 now try to ping 155.1.0.3 (sw3 ip address) the following error messages will be generated in sw1(3560).

sw1(config)#

02:30:26: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0. f180/155.1.0.22/000d.29e3.ab00/155.1.0.3/02:30:25 UTC Mon Mar 1 1993]) 02:30:26: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/13, vlan 146.([000d.29c0. f180/155.1.0.22/ffff.ffff.ffff/155.1.0.22/02:30:25 UTC Mon Mar 1 1993]) 02:30:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0. f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:32 UTC Mon Mar 1 1993]) 02:30:35: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0 f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:34 UTC Mon Mar 1 1993]) 02:30:37: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0. f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:36 UTC Mon Mar 1 1993]) 02:30:39: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0. f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:38 UTC Mon Mar 1 1993]) 02:30:40: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0. f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:40 UTC Mon Mar 1 1993]) 02:30:42: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0. f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:42 UTC Mon Mar 1 1993]) 02:30:44: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0. f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:44 UTC Mon Mar 1 1993]) 02:30:46: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0. f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:46 UTC Mon Mar 1 1993]) sw1(config)# 02:39:44: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0. f180/155.1.0.22/000d.29e3.ab00/155.1.0.3/02:39:43 UTC Mon Mar 1 1993]) 02:39:44: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/13, vlan 146.([000d.29c0. f180/155.1.0.22/ffff.ffff.ffff/155.1.0.22/02:39:43 UTC Mon Mar 1 1993]) sw1(config)# do sh ip arp inspection Source Mac Validation  : Disabled Destination Mac Validation : Disabled IP Address Validation  : Disabled 

Vlan     Configuration    Operation   ACL Match          Static ACL
----     -------------    ---------   ---------          ----------

146 Enabled Active Vlan ACL Logging DHCP Logging 

----     -----------      ------------
 146     Deny             Deny                                                                                                                                                   Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
----      ---------        -------     ----------      ---------
 146              3             12             12              0     
Vlan   DHCP Permits    ACL Permits   Source MAC Failures
----   ------------    -----------   -------------------
 146              3              0                     0
Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
----   -----------------   ----------------------   ---------------------
Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
----   -----------------   ----------------------   ---------------------
 146                   0                        0                       0

sw1(config)#ip arp inspection vlan 146


DAI ON NON DHCP SERVER ON SW1 sw1(config)#ip arp inspection vlan 146

sw1(config)#ip arp inspection filter vlan146 vlan 146

sw1(config)#interface FastEthernet0/13

switchport access vlan 146

switchport trunk encapsulation dot1q

switchport mode access

ip arp inspection limit rate 50 burst interval 10

sw1(config)#interface FastEthernet0/16

switchport access vlan 146

switchport mode access

sw1(config)#interface FastEthernet0/19

switchport access vlan 146

switchport mode access

sw1(config)#arp access-list vlan146

permit ip host 155.1.0.2 mac host 000d.29c0.f180

permit ip host 155.1.0.3 mac host 000d.29e3.ab00

ON SW2

sw2(config)#interface FastEthernet0/13

no switchport

ip address 155.1.0.2 255.255.255.0

no shutdown

ON SW3

sw3(config)#interface FastEthernet0/13

no switchport

ip address 155.1.0.3 255.255.255.0

no shutdown

ON SW4

interface FastEthernet0/13

no switchport

ip address 155.1.0.4 255.255.255.0

no shutdown

when you try to ping from sw4 it will generate arp error in sw1 but there will be no issue in case of sw2 and sw3 as the ip address to mac-address mapping is done by using arp-acl.

Retrieved from "https://en.wikibooks.org/w/index.php?title=CCNA_Certification/Advanced_Switching_Topics&oldid=4091187"