1 Rookie
•
44 Posts
0
56
May 10th, 2025 15:52
N2024 switch Configuring Dynamic ARP Inspection (DAI)
I started with what I call test-config-3.
The switch without DAI enabled does scan all VLans correctly and has internet access from Vlans 2-8. That is currently the basic functionality.
Configuration
VLan1 is attached to switch interface G11/0/1 (192.168.1.2) which it attached to the router interface (igb2 192.168.1.1). VLans 2-8 are attached to switch interface P01 (Gi1/0/10 & Gi1/0/15) 192.168.?.2) which is attached to the router interface (lagg (igb2 & igb3) 192.168.?.1) (where ? in both cases is 2-8 corresponding to the VLan). The Wireless Access Point (AP) via DHCP static assignment attached to switch interface Gi1/0/11 (management interface 192.168.1.3). The PC is attached via the AP and DHCP pool assignment (192.168.?.128 where ? is 1-8 corresponding to VLans 1-8).
There are VLan MAC associations for the Router and AP (VLan1 only - management interface). Should the AP appear in the other VLans 2-8, I thing NOT? I assumed (maybe incorrectly) that including the switch here would be redundant; should it be included? Are these entries redundant when the following port security entries are made on the interfaces?
Interface Gi1/0/1 has port security MAC associations for VLan1 for both the router and the switch.
Interface Po1 has port security MAC associations for VLans 2-8 for both the Router and the Switch.
Interface Gi1/0/11 does NOT have a port security MAC association for the AP because I do not intend to include every user device that can use the AP in the list. Is this the correct answer?
DHCP Snooping appears to be correctly configured. VLan1's DHCP server is assigned to the switch Gi1/0/1 (192.168.1.2) the router (192.168.1.1) blocks DHCP requests from VLan1 (logged by the router at this time) and has no DHCP Server active for VLan1. VLans 2-8 has DHCP servers attached to switch interface Po1 (Gi1/0/10 & Gi1/0/15) where the services are provided by the router (lagg (igb2 & igb3) 192.168.?.1 where? is 2-8 respectively) The switch has no DHCP Servers for Vlans 2-8.
After rebooting the router, switch and my PC I reviewed the DHCP Snooping Dynamic Pool expecting to find both the AP and PC. I found only the PC. I ran an IP scan on VLan1 and in fact did find the AP assigned IP 192.168.1.3 as expected. I power cycled the AP and connected the PC again and rechecked the DHCP Snooping Dynamic Pool and now I have the desired entries for both the AP and the PC. Is powering the AP after the switch boots really a requirement?
IPSG (IP Source Guard) also appears to be successfully configured. Ths IPSG Dynamic Binding Lists contains copies of the DHCP Snooping server entries as well as the AP and PC as expected after the power cycling of the AP. The remaining static Router and Server MAC/IP combinations were added to the IPSG Static Binding list. Every device on the network appears in one or the other of the IPSG Binding Lists.
All of the router and switch interfaces are attached to DAI (Dynamic ARP Inspection) and DHCP Snooping Trusted interfaces. The AP and PC appear in the DHCP Dynamic Pool on the switch. VLan1 is attached to Gi1/0/1 and VLans 2-8 are attached to Po1 comprised of Gi1/0/10 & Gi1/0/15. Gi1/0/1 and Po1 are DAI and DHCP Snooping trusted interfaces. The AP (and connected PCs) are attached to Gi1/0/11 not trusted by DAI or DHCP Snooping. After the above checking I believe the requirements to enable DAI on the VLan interfaces have been successfully established. (NOTE: other testing using static addresses had problems because attempts to create DAI ACL entries resulted in no entries in the DAI ACL lists -- Maybe IPSG entries blocked them)
Testing -- from what should be easy to hardest
VLan 1 is isolated network wise and will be the first VLan tested. The IP range for this initial test will be 192.168.1.0-192.168.1.255) ERROR: Enabling DAI on VLan1 blocked port access to http/https. I disconnected and reconnected the wireless network to the PC and it did not get an IP address VLan1 on the switch appears to be hung. Attempting access with other VLans 2-8 all fail to get an DHCP assigned pool IP address.
Attempted to use a atatic IP assigned on the PC for VLan8 -- scanned VLan8 all that was found was the PC itself no router or switch the only other devices on this VLan. Question would adding a PC or 2 with an emergency static IP address to IPSG and DAI be a good idea? (One I cannot implement at this time because I have been completely unsuccessful at adding DAI ARP rules.)
The switch appears to be completely hung. Since DAI was activated using the GUI a power cycle of the switch should clear the enabling of DAI on Vlan1.
It appears from firewall log on the router that shortly after an ICMP (ping) a UDP request port 137 both directed at the router 192.168.1.1 that both the AP and the PC appear to have issued DHCP requests for new IP addresses prior to the scanner testing other TCP/UDP ports including http/https probably explaining the above results -- the network disconnected mid scan.
I will attempt a similar test on VLan2 where there is no AP mamagement interface attached. The only devices on that VLan are the router, switch and PC (192.168.2.1, 192.168.2.2, 192.168.2.128 (probably)). For this test I will reduce the IP range to 192.168.2.1-192.168.2.254. I cannot detect DHCP requests in the firewall log for VLan2 as they are processed by the OPNsense firewall rules prior to my firewall rules. not the switch.
An IP scan before activating DAI on VLan2 was successful and the VLan has internet access.
Checked DHCP Snooping Dynamic Bindings Summary -- no AP in Vlan1. Power cycled the AP and reconnected to Vlan2. Checked DHCP Snooping Binding Summary again -- got the AP in Vlan1 and lost the PC in VLan2. Reconnected the PC to Vlan1 then Vlan2 and Checked DHCP Snooping Binding Summary again -- got both the AP in Vlan1 and the PC in VLan2. Tested the pre-DAI scan again successful. Enabling DAI on VLan2 and IP Scanning again. The scan result look good however it appears shortly after pinging the PC 192.168.1.128 the scanner took off like VLan2 disconnected and according to the PC it did disconnect from VLan2 apparently mid-scan. I attempted to reconnect to VLan2 and DHCP failed to get an IP address. Checking VLan1 and Vlans 3-8 for connectivity -- same result as before including testing with a static IP address the switch appears to be completely hung.
Once again time to power cycle the switch. This time I tried to save some steps and power cycled the AP at the same time. Connected the PC to VLan2 without DAI (windows automatically connected to VLan1 after the switch/AP reboot). DHCP Snooping and IPSC Dynamic Lists have both the AP in VLan1 and PC in VLan2. The firewall log on the router shows nothing of interest this pass. However; it is curious that two devices the router and the switch appeared to scan correctly and the third the PC gave no indication where in or after the process VLan2 disconnected from the PC.
The problem indicated with DAI ACL rules can be seen partially in the coded (startup) and stored (running) results below in addition to the fact that despite these entries in the configuration files there are NO entries in the DAI ACL Rule Configuration: Show All.
As Coded
ip arp inspection filter DAIaclVLan1Default vlan 1ip arp inspection validate src-mac dst-mac iparp access-list DAIaclVlan1Defaultpermit ip host 192.168.1.3 mac host ????.????.??40exitAs Stored
ip arp inspection filter DAIaclVLan1Default vlan 1ip arp inspection validate src-mac dst-mac iparp access-list DAIaclVlan1Defaultpermit ip host 192.168.1.3 mac host ??:??:??:??:??:40exitRemember nothing at all appears in the DAI ACL Configuration: Show All
The switch software version is:
!Current Configuration:!System Description "Dell EMC Networking N2024, 6.7.1.22, Linux 4.14.174, Not Available"!System Software Version 6.7.1.22
DELL-Charles R
Moderator
Moderator
•
4.3K Posts
0
May 12th, 2025 17:07
Hello,
To give some overview on the feature for users who may want to contribute here – DAI (Dynamic ARP inspection) protects networks from ARP spoofing attacks. It intercepts ARP packets on untrusted interfaces and checks their validity by comparing the MAC and IP address information against the DHCP snooping binding table. When DAI detects invalid ARP packets it discards them.
On your question about performing an alternate VLan1 test to better isolate the device causing the problem. You will leave router 192.168.1.1 and switch 192.168.1.2 where they are. You want to move the AP to 192.168.1.127 (moving its testing roughly to the scanner group 4 and the PC is moved to 192.168.1.253 making it roughly in the 8th scanner group).
Here are a couple of ways Changing the IP address of a device to a higher scanner group in AngryIPscanner can impact Dynamic ARP Inspection (DAI):
pasha_19
1 Rookie
1 Rookie
•
44 Posts
0
May 10th, 2025 16:21
Sorry I would edit the above to fix the code format but it is not an option I have so
As Coded
As Stored
Software Version
DELL-Erman O
Moderator
Moderator
•
2.8K Posts
0
May 12th, 2025 09:48
Hello,
it looks like you have a pretty complex setup going on. I think it seems like you need to power cycle the AP after the switch boots to get it to show up in the DHCP Snooping Dynamic Pool. This might be because the AP isn't sending DHCP requests right away when the switch boots. The switch hanging after enabling DAI suggests there might be a misconfiguration or a bug. Ensure your switch firmware is up to date . Let's our community can contribute
pasha_19
1 Rookie
1 Rookie
•
44 Posts
0
May 12th, 2025 15:15
The router and switch in each VLan should not be an issue as they are on DHCP Snooping and DAI Trusted ports which according to the documentation indicates they are not checked. As far as IPSG ALL IP/MAC address appear in either the fixed or dynamic lists for the entire network.
AngryIPscanner indicates the AP and PC devices are connected correctly even before the power cycling of the AP when the switch does not report them in the DHCP Snooping Dynanic list.. I had a similar problem when some Switch interfaces got their IP's via DHCP -- no longer the case I made them all static assigned in the device interfaces. The only devices that need to appear in the DHCP Snooping binding table are in VLan1 the AP and the PC and in Vlan2 to the PC alone. I have a feeling that direct connected devices get their IP's before DHCP Snooping is activated so having them reacquire IP addresses after the switch boot is complete is required for DHCP Snooping to see the entries OR the fact they already have valid prior assigned DHCP IP addresses slips by DHCP Snooping.
My primary concern in this message the DAI issue. Before testing DAI as noted DHCP Snooping is checked to see the Dynamic devices are present -- in theory the the Dynamic devices should not be a problem.
Note: the scanner limits devices actively scanned to 32 -- while this is not completing the whole block of 32 before the next 32 are released this seem to remain fairly close to that scenario.
As far as DAI the firmware for the switch is fully up to date the version is noted in the original data. I agree there may be a misconfiguration or bug; I am looking for suggestions to help find the problem.
I have demonstrated two different scenarios using two different VLans with slightly different results. VLan1 fails during the scan of the Router 192.168.1.1 which is one of the first devices scanned. A note should probably be made here that the AP is at address 192.168.1.3 so it is probably being checked concurrently with the router and the switch in VLan1. I have one idea that could possibly better isolate the device causing the problem . If in Vlan1 the router 192.168.1.1 and switch 192.168.1.2 remain where they are. The AP is moved to 192.168.1.127 (moving its testing roughly to the scanner group 4 and the PC is moved to 192.168.1.253 making it roughly in the 8th scanner group the problem may more clearly indicate which device is causing the problem on VLan1. Vlan2 does not fail until after the router 192.168.2.1 and switch192.168.2.2 are successfully scanned and either after or during the scan of the attached PC 192.168.2.128 or greater (which has no open ports to find the ping alone is the end of the scan results for the PC). A similar change on VLan2 is unlikely to provide any additional information especially if in the revised VLan1 test the router and switch scan successfully before the AP is scanned well before the PC is scanned. If the AP scan fails in VLan1 and the PC fails in VLan2 then the DAI problem will be clearly with devices in the DHCP Snooping Dynamic list and not devices on trusted interfaces. Should I try that alternate VLan1 test?
pasha_19
1 Rookie
1 Rookie
•
44 Posts
0
May 13th, 2025 13:11
In attempting to prepare a small file I could submit for others I made a discovery; the command "no arp inspection limit", if it works in some cases the error counts may be logged and more can be understood about the cause of the hang especially if this prevents the hang and the counts can be inspected. Maybe by mid day I will have an answer for that.
Another question I may have hidden is what exactly is logging in the case of DHCP Snooping and DAI -- updating counts (relatively safe in terms of a hang except possibly due to overflow) or possibly filling files that could cause a hang?
This will not affect the problem of not being able to add IPs and MAC addresses to DAI ACLs. That is a constraint I that may become an issue in the future.
Meaning the only valid setup I can achieve is to either have devices on trusted interfaces or to assure devices with DHCP assigned IP addresses appear in the DHCP Snooping Dynamic list (at this time this is appears to be a workable requirement for my design).
Lets hope that "no arp inspection limit" will eliminate the issue as the IP scanner by it's every nature generates large numbers of "invalid" packets for devices that do not exist and ports not open on devices.
(edited)
pasha_19
1 Rookie
1 Rookie
•
44 Posts
0
May 13th, 2025 14:35
Managed an early test of "ip arp inspection limit none" which appears to be the same as "no arp inspection limit". I applied it to the Gi1/0/11 interface where the PC was performing the scan. I should I consider applying this to the trusted interfaces (I believe I read this is not required)?
VLan 2 scanned successfully the stats were 1786 DHCP permits and 1786 passed and the results were the desired results.
I switched to testing VLan1. Checked those stats before enabling DAI on VLan1 -- there were a few stats present even before DAI was enabled which is curious but not fatal. The scan of VLan1 did not display the server or router and it disconnected after scanning the PC. BUT the entire switch did not hang -- I got in using VLan 2 and could see the stats for Vlans 1 & 2. There were about 3000+ DHCP Drops on VLan1 (where the DHCP server is on the switch). I have some things to investigate. Also the switch may be hanging slowly. DHCP seems to be working for all VLans but VLan1 may have lost server/router access near the end of the scan. VLan2 seems to have done the same after inquiring the statistics. Got back in again using VLan7. This may not be the complete DAI solution but I have a great deal of test feedback I did not have before this. There are some outstanding questions including how eventually to set a better limit. But for now, I am back to doing some testing with some additional information.
pasha_19
1 Rookie
1 Rookie
•
44 Posts
0
May 13th, 2025 15:25
Just ran a test I could not consider before probably the most extreme. Testing VLan8 scanning all 8 VLans. VLan1 should be dropped completely by the switch ACLS. Everything in VLans2-8 should respond positively (this is the admin VLan). The test ran to completion no issues including hangs or disconnects. The results of the scan matched what was expected. Strangely I have considerable research in the statistics question. The stats for VLan8 were 30+ dhcp permits and 30+ forwarded. The system consists of a router with 8 vlans a switch with 8 vlans a wireless router, and the pc for a total of 18 devices. Ran the scan a second time without rebooting -- same positive results. Maybe there are problems with VLan2 with such high numbers and VLan 1 clearly has problems at this time for me to find.
My hang problem in terms of testing seem to be mostly solved.
pasha_19
1 Rookie
1 Rookie
•
44 Posts
0
May 18th, 2025 20:57
Since I cannot get the DAI ACLs to actually generate entries in the table. I am currently testing Static IP addresses in devices that are not like wireless access points (file servers, switches, routers). I am attaching the mac addresses to ports and vlans too. I then plan to make the single user ports trusted DAI ports. I believe this replaces the DAI ACL that I cannot get to work.
pasha_19
1 Rookie
1 Rookie
•
44 Posts
0
May 18th, 2025 21:12
That last message should have said I am trusting single use ports -- with file servers not wireless access points) with known mac addresses and IP addresses. With multiple levels of MAC validations and IPSG static entries.
pasha_19
1 Rookie
1 Rookie
•
44 Posts
0
May 24th, 2025 11:15
@DELL-Charles R The customer found a work around with numerous items still not working see following documentation.