Snoop_DAI_VACL

Some quick notes from labbing tonight that I thought is good to knows for Exam day, this will all be very messy crap with output behaviors, no editing out to make it look nice!

ALSO one important note I keep forgetting – It is for PRIVATE VLANS that VTP and neighbors hosting Private VLAN must be in VTP Transparent mode!

I keep forgetting that, so figured if I stick it right there, hopefully I will burn it into my brain for exam day 🙂 Sorry for the huge mess below, this is just going to be chaotic output, but will contain some good example of output to know for exam day!

You must first enable DHCP snooping in general with “ip dhcp snooping” from global config, then specify then vlan with “ip dhcp snooping vlan 10”:

SW1(config)#ip dhcp snooping
SW1(config)#ip dhcp snooping vlan 10
SW1(config)#no ip snooping info option
^
% Invalid input detected at ‘^’ marker.

SW1(config)#no ip dhcp snooping info option   <— Turn off option 82!!!
SW1(config)#do sh ip dhcp snoop stat
Packets Forwarded = 0
Packets Dropped = 0
Packets Dropped From untrusted ports = 0
SW1(config)#exit
SW1#sh
*Mar 1 00:25:50.432: %SYS-5-CONFIG_I: Configured from console by console
SW1#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
Smartlog is configured on following VLANs:
none
Smartlog is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 1ce6.c7c1.c800 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)
———————– ——- ———— —————-
FastEthernet1/0/11 yes yes unlimited    <—- No Rate set / “unlimited”
Custom circuit-ids:
Interface Trusted Allow option Rate limit (pps)
———————– ——- ———— —————-
FastEthernet1/0/12 yes yes unlimited
Custom circuit-ids:
Port-channel1 yes yes unlimited
Custom circuit-ids:

IP Snooping is enabled:

  • Globally
  • For VLAN 10
  • Option 82 turned off in case L3 boundaries (traffic will drop)

 

As can be seen here, and I couldn’t figure out why, Binding on SW1 is only seeing 2 static bindings in its table:

SW1(config)#do sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
—————— ————— ———- ————- —- ——————–
00:1E:F7:97:F1:4B 10.0.0.31 604678 dhcp-snooping 10 FastEthernet1/0/2
00:1B:53:36:F2:CD 10.0.0.34 604678 dhcp-snooping 10 FastEthernet1/0/3
Total number of bindings: 2

While on SW2’s DHCP Pool output it shows all 4 routers grabbed an address:

SW2#sh ip dhcp pool

Pool CCNP :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 4
Excluded addresses : 30
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased/Excluded/Total
10.0.0.35 10.0.0.1 – 10.0.0.254 4 / 30 / 254

And all Routers / Hosts could ping eachother 10.0.0.31 – .34 so I chalked it up to a bug.

 

Configuring DAI, trusting the Int to the DHCP SW2, verify command:

 

SW1(config)#ip arp inspection ?
filter Specify ARP acl to be applied   <<<—- ARP ACL!
log-buffer Log Buffer Configuration
smartlog Smartlog all the logged pkts
validate Validate addresses
vlan Enable/Disable ARP Inspection on vlans <— Choice I used

SW1(config)#ip arp inspection vlan 10
SW1(config)#int po1   <—– Port-Channel 1
SW1(config-if)#ip arp ?
inspection Arp Inspection configuration

SW1(config-if)#ip arp inspe ?
limit Configure Rate limit of incoming ARP packets
trust Configure Trust state

SW1(config-if)#ip arp inspe trust
SW1(config-if)#^Z

SW1#sh ip arp inspection

Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled

Vlan Configuration Operation ACL Match Static ACL
—- ————- ——— ——— ———-
10 Enabled Active

Vlan ACL Logging DHCP Logging Probe Logging
—- ———– ———— ————-
10 Deny Deny Off

Vlan Forwarded Dropped DHCP Drops ACL Drops
—- ——— ——- ———- ———
10 0 0 0 0

Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
—- ———— ———– ————- ——————-
10 0 0 0 0

Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
—- —————– ———————- ———————

Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
—- —————– ———————- ———————
10 0 0 0

No this is not showing the network # 10.0.0.0, its showing VLAN 10 and some other values under the table that doesn’t format well to this page.

I just entered it on the Port-Channel interface, as that applies it to all bundled physical interfaces as well, just like any command bundled to a Port-Channel… of course 🙂

 

HOWEVER, then I brought in Dynamic Arp Inspection and found some errors:

SW1#ping 10.0.0.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.33, timeout is 2 seconds:

*Mar 1 00:45:11.349: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 10.([000e.8475.04e1/10.0.0.33/1ce6.c7c1.c841/10.0.0.10/00:45:10 UTC Mon Mar 1 1993]).
*Mar 1 00:45:13.362: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 10.([000e.8475.04e1/10.0.0.33/1ce6.c7c1.c841/10.0.0.10/00:45:12 UTC Mon Mar 1 1993]).
*Mar 1 00:45:15.375: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 10.([000e.8475.04e1/10.0.0.33/1ce6.c7c1.c841/10.0.0.10/00:45:14 UTC Mon Mar 1 1993])
*Mar 1 00:45:17.388: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 10.([000e.8475.04e1/10.0.0.33/1ce6.c7c1.c841/10.0.0.10/00:45:16 UTC Mon Mar 1 1993]).
*Mar 1 00:45:19.402: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 10.([000e.8475.04e1/10.0.0.33/1ce6.c7c1.c841/10.0.0.10/00:45:18 UTC Mon Mar 1 1993]).
*Mar 1 00:45:21.415: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 10.([000e.8475.04e1/10.0.0.33/1ce6.c7c1.c841/10.0.0.10/00:45:20 UTC Mon Mar 1 1993])
*Mar 1 00:45:23.428: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 10.([000e.8475.04e1/10.0.0.33/1ce6.c7c1.c841/10.0.0.10/00:45:22 UTC Mon Mar 1 1993]).
Success rate is 0 percent (0/5)
SW1#
*Mar 1 00:45:25.441: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 10.([000e.8475.04e1/10.0.0.33/1ce6.c7c1.c841/10.0.0.10/00:45:24 UTC Mon Mar 1 1993])
SW1#
SW1#sh ip dhcp snoop bind
MacAddress IpAddress Lease(sec) Type VLAN Interface
—————— ————— ———- ————- —- ——————–
00:1E:F7:97:F1:4B 10.0.0.31 604311 dhcp-snooping 10 FastEthernet1/0/2
00:1B:53:36:F2:CD 10.0.0.34 604311 dhcp-snooping 10 FastEthernet1/0/3
Total number of bindings: 2

This is because DAI looks up MAC to IP bindings in the DHCP Snooping table, so DHCP Snooping is required for DAI to even run, however I did find away around this:

SW1(config)#int fa1/0/1
SW1(config-if)#arp insepct ?
% Unrecognized command
SW1(config-if)#ip arp ?
inspection Arp Inspection configuration

SW1(config-if)#ip arp inspe ?
limit Configure Rate limit of incoming ARP packets
trust Configure Trust state

SW1(config-if)#ip arp inspe trust
SW1(config-if)#int fa1/0/4
SW1(config-if)#ip arp inspec trust
SW1(config-if)#
ASR#1
[Resuming connection 1 to sw1 … ]

SW1(config-if)#
SW1(config-if)#
ASR#4
[Resuming connection 4 to r1 … ]

HostA#
HostA#ping 10.0.0.31

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.31, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
HostA#ping 10.0.0.32

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.32, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
HostA#ping 10.0.0.33

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.33, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
HostA#ping 10.0.0.34

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.34, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

For exam day, know that you either have to care code the MAC / IP to the DHCP Bind Table, or you can use the arp inspect trust at the interface level, BUT YOU CANNOT USE THE DHCP TRUST COMMAND AT INTERFACE LEVEL CAUSE DAI DOESN’T CARE ABOUT DHCP TRUST!

Do not fall for that on exam day, you must hard code the mapping into dhcp snoop bind table, possible make an arp inspect acl (they do exist but aren’t covered here), or you can trust the interface like you can with DHCP Snooping on an interface face a trusted device.

Making a VLAN Access-List quick and painless, 1 ACL and 1 VLAN Access-Map action

I thought I’d have to make different sequences to forward or drop certain traffic like PBR or Policy Based Routing maps, however I tested and it worked so I’ll go with this:

SW1(config)#ip access-list standard 10
SW1(config-std-nacl)#deny host 10.0.0.33
SW1(config-std-nacl)#permit 10.0.0.0 0.0.0.255
SW1(config-std-nacl)#exit
SW1(config)#do sh ip access-list
Standard IP access list 10
10 deny 10.0.0.33
20 permit 10.0.0.0, wildcard bits 0.0.0.255

So all PC’s should not be able to ping Host C 10.0.0.33 according to this ACL, now to incorporate it into a “vlan access-map”:

SW1(config)#vlan access-map ?
WORD Vlan access map tag

SW1(config)#vlan access-map VACL
SW1(config-access-map)#?
Vlan access-map configuration commands:
action Take the action
default Set a command to its defaults
exit Exit from vlan access-map configuration mode
match Match values.
no Negate a command or set its defaults

SW1(config-access-map)#match ip add 10
SW1(config-access-map)#action forward
SW1(config-access-map)#exit
SW1(config)#do sh vlan access-map
Vlan access-map “VACL” 10
Match clauses:
ip address: 10
Action:
forward

I skipped some output as I know what I’m going for, essentially to me its saying forward all traffic on that ACL, so I’m wondering if that deny at the top will actually drop traffic.

For any of this to take any effect, you must filter a VLAN by this VLAN Access-Map that is using an IP Access-List as reference (the hole just keeps getting deeper!) :

SW1(config)#vlan ?
WORD ISL VLAN IDs 1-4094
access-log Configure VACL logging
access-map Create vlan access-map or enter vlan access-map command mode
configuration vlan feature configuration mode
dot1q dot1q parameters
filter Apply a VLAN Map
group Create a vlan group
internal internal VLAN

SW1(config)#vlan filter ?
WORD VLAN map name

SW1(config)#vlan filter VACL ?
vlan-list VLANs to apply filter to

SW1(config)#vlan filter VACL vlan-list ?
<1-4094> VLAN id
all Add this filter to all VLANs

SW1(config)#vlan filter VACL vlan-list 10
SW1(config)#

Note that you can apply it to “all” vlans, but given its a single VLAN Access-List there is no use for that in my mind, certainly not at the CCNP level of network configuration.

Now to test it out:

ASR#4
[Resuming connection 4 to r1 … ]
ping 10.0.0.33

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.33, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
HostA#ping 10.0.0.32

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.32, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
HostA#ping 10.0.0.31

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.31, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
HostA#ping 10.0.0.34

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.34, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Just make sure that you put your deny statements in first, or your going to have a whole new issue trying to figure out how to number your ACL to fit Deny statements above Allows and such, nothing too hard but just a pain you don’t need.

So that was my short lab on configuring a DHCP Pool, DHCP Snooping, DAI, and Vlan ACL’s, sorry that was rushed and not well explained but I am less than two weeks out and I don’t have time to bleed – I will occasionally drop bits of lab sessions outputs until exam day for mine and your own review!

Any questions, comments, complaints, want to donate millions of dollars, please get throw in a comment and I’ll do my best to get to it 🙂