Options
DAI question
Hi, Just want to know if I am correct this is base on Cisco Web Site 3560 model regarding DAI.
According to Cisco Docs of 3560 DAI intercept (checks) the request and reply ARP.
However, for Train Signal Video it mentioned it is checked only arp reply not arp request meaning receiving an arp reply from the untrusted interface.
In addition, correct me if I am wrong that in DHCP snooping let say I have 2 switch runng
SWA on port 1 (DHCP) port 2 is trunk and port 3 is host, ig switch B is not configure it's trunk as DAI and SWA trunk port 2 is configured with ip arp inspect trust command.
Can HOst on SWB can spoof the arp packet of HOST A from SWA?
My answer to this is still can spoof the mac address because it does not check on trunk the arp no checking as it is a trusted port. AM I RIGHT? even though it receives an dynamilc IP from DHCP connected to SWA.
oppppsss I forgot now this is the confusing part beacuse IP DHCP SNOOPIING IS enable meaning all ports are configure untrusted then only dhcp snooping trust is enable on SWA port1
then all DHCP req, DHCP ACK and DHCP NACK packet coming from untrusted ports are DROP....
RIGHT or WRONG...?
Please I would appreciate your help guys, I am now getting it clear and points my weakness...
STP, SEC. WLAN
By the way, thanks for all the support GOT 5 days before exam.
According to Cisco Docs of 3560 DAI intercept (checks) the request and reply ARP.
However, for Train Signal Video it mentioned it is checked only arp reply not arp request meaning receiving an arp reply from the untrusted interface.
In addition, correct me if I am wrong that in DHCP snooping let say I have 2 switch runng
SWA on port 1 (DHCP) port 2 is trunk and port 3 is host, ig switch B is not configure it's trunk as DAI and SWA trunk port 2 is configured with ip arp inspect trust command.
Can HOst on SWB can spoof the arp packet of HOST A from SWA?
My answer to this is still can spoof the mac address because it does not check on trunk the arp no checking as it is a trusted port. AM I RIGHT? even though it receives an dynamilc IP from DHCP connected to SWA.
oppppsss I forgot now this is the confusing part beacuse IP DHCP SNOOPIING IS enable meaning all ports are configure untrusted then only dhcp snooping trust is enable on SWA port1
then all DHCP req, DHCP ACK and DHCP NACK packet coming from untrusted ports are DROP....
RIGHT or WRONG...?
Please I would appreciate your help guys, I am now getting it clear and points my weakness...
STP, SEC. WLAN
By the way, thanks for all the support GOT 5 days before exam.
Comments
-
Options
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
First when you use DHCP snooping you cannot attach a DHCP server to an untrusted interface (basically it won't allow the responses from the server). Then based on the DHCP snooping database or the trusted ARP database DAI will either allow or deny an arp reply if it is considered valid (not spoofed).The only easy day was yesterday! -
Options
MACattack
Member Posts: 121
Hello, I got your point that it is not allowed to put DHCP on untrusted interface.
However my concern is that when I have 2 switch, SwitchA is running DAI with DHCP snooping enable and has a DHCP server connected and a host. The Connection between the DHCP server and SWA is trusted. The trunk port between switch A (trusted) to SWB (NOT CONFIG with DAI). Then any host on SWB can send ARP spoof or MAC spoof on SWA which in turns update the arp cache of SWA and HOST A.
Now I am confuse only when DHCP snooping comes in the scenario. Let say I enable DAI on trunk interface of SWA and enable ip arp insp trust on trunk interface. Now to make it more complicated I added IP dhcp snooping on vlan 2 (which all host in the domain are in VLAN2 including HOST B that gets IP address from DHCP server).
Do you think HOST B can send spoof mac address on SWA and host A.
note: again DAI is configure on SWA with TRUST command on trunk but no ip dhcp snooping trust command. So it considered trubk inteface as untrusted if dhcp reply is coming from swb
Does it affect or not?