CCNA Certification/Advanced Switching Topics

=Advanced Switching Topics=

IP source guard without DHCP When DHCP snooping is enabled, a switch maintains a database of the DHCP addresses assigned to the hosts connected to each access port. IP source guard references this database when a packet is received on any of these interfaces and compares the source address to the assigned address listed in the database. If the source address differs from the "allowed" address, the packet is assumed to spoofed and is discarded. Assuming DHCP isn't available or in use on a subnet, static IP bindings can be manually configured per access port to achieve the same effect.

Configuration

sw1(config)#ip dhcp snooping sw1(config)#ip dhcp snooping vlan 146

sw1(config)#interface FastEthernet0/13

switchport access vlan 146

switchport trunk encapsulation dot1q

switchport mode access

ip verify source

sw1(config)#interface FastEthernet0/16

switchport access vlan 146

switchport mode access

ip verify source

sw1(config)#ip source binding 000D.29C0.F180 vlan 146 155.1.0.2 interface Fa0/13

sw1(config)#ip source binding 000D.29E3.AB00 vlan 146 155.1.0.3 interface Fa0/16

sw1(config)#do sh ip source binding

MacAddress         IpAddress        Lease(sec)  Type           VLAN  Interface -- ---  --  -          0:0D:29:C0:F1:80   155.1.0.2        infinite    static         146   FastEthernet0/13

00:0D:29:E3:AB:00  155.1.0.3        infinite    static        146   FastEthernet0/16

Total number of bindings: 2

sw1(config)#do sh ip verify source

Interface Filter-type  Filter-mode  IP-address       Mac-address        Vlan - ---  ---  ---  -  -- Fa0/13     ip           active       155.1.0.2                           146

Fa0/16    ip           active       155.1.0.3                           146

sw1(config)#

If you don't enable the dhcp snooping on sw1 it will show the following under Filter- mode lists inactive-no-snooping-vlan for any entry. sw1(config)#no ip dhcp snooping vlan 146

sw1(config)#do sh ip verify source

Interface Filter-type  Filter-mode  IP-address       Mac-address        Vlan - ---  ---  ---  -  -- Fa0/13     ip           inactive-no-snooping-vlan

Fa0/16    ip           inactive-no-snooping-vlan change the ip address of sw2 to 155.1.0.22 now try to ping 155.1.0.3 (sw3 ip address) the following error messages will be generated in sw1(3560).

sw1(config)#

02:30:26: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0.                                f180/155.1.0.22/000d.29e3.ab00/155.1.0.3/02:30:25 UTC Mon Mar 1 1993]) 02:30:26: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/13, vlan 146.([000d.29c0.            f180/155.1.0.22/ffff.ffff.ffff/155.1.0.22/02:30:25 UTC Mon Mar 1 1993]) 02:30:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0. f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:32 UTC Mon Mar 1 1993]) 02:30:35: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0      f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:34 UTC Mon Mar 1 1993]) 02:30:37: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0.        f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:36 UTC Mon Mar 1 1993]) 02:30:39: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0. f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:38 UTC Mon Mar 1 1993]) 02:30:40: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0.                                 f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:40 UTC Mon Mar 1 1993]) 02:30:42: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0.                                  f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:42 UTC Mon Mar 1 1993]) 02:30:44: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0.       f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:44 UTC Mon Mar 1 1993]) 02:30:46: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0.                                 f180/155.1.0.22/0000.0000.0000/155.1.0.3/02:30:46 UTC Mon Mar 1 1993]) sw1(config)# 02:39:44: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 146.([000d.29c0.                            f180/155.1.0.22/000d.29e3.ab00/155.1.0.3/02:39:43 UTC Mon Mar 1 1993]) 02:39:44: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/13, vlan 146.([000d.29c0.                                f180/155.1.0.22/ffff.ffff.ffff/155.1.0.22/02:39:43 UTC Mon Mar 1 1993]) sw1(config)# do sh ip arp inspection Source Mac Validation     : Disabled Destination Mac Validation : Disabled IP Address Validation     : Disabled Vlan    Configuration    Operation   ACL Match          Static ACL -   -   -          -- 146    Enabled              Active Vlan    ACL Logging      DHCP Logging ---       146     Deny             Deny                                                                                                                                                   Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops -       ---     --      -  146              3             12             12              0      Vlan   DHCP Permits    ACL Permits   Source MAC Failures ---  ---  146              3              0                     0 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data -  --   - Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data -  --   -  146                   0                        0                       0 sw1(config)#ip arp inspection vlan 146

DAI ON NON DHCP SERVER ON SW1 sw1(config)#ip arp inspection vlan 146

sw1(config)#ip arp inspection filter vlan146 vlan 146

sw1(config)#interface FastEthernet0/13

switchport access vlan 146

switchport trunk encapsulation dot1q

switchport mode access

ip arp inspection limit rate 50 burst interval 10

sw1(config)#interface FastEthernet0/16

switchport access vlan 146

switchport mode access

sw1(config)#interface FastEthernet0/19

switchport access vlan 146

switchport mode access

sw1(config)#arp access-list vlan146

permit ip host 155.1.0.2 mac host 000d.29c0.f180

permit ip host 155.1.0.3 mac host 000d.29e3.ab00

ON SW2

sw2(config)#interface FastEthernet0/13

no switchport

ip address 155.1.0.2 255.255.255.0

no shutdown

ON SW3

sw3(config)#interface FastEthernet0/13

no switchport

ip address 155.1.0.3 255.255.255.0

no shutdown

ON SW4

interface FastEthernet0/13

no switchport

ip address 155.1.0.4 255.255.255.0

no shutdown

when you try to ping from sw4 it will generate arp error in sw1 but there will be no issue in case of sw2 and sw3 as the ip address to mac-address mapping is done by using arp-acl.