- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Question Regarding Meraki DAI
So I am just new with the Meraki Dashboard and we're planning to incorporate our switches with DAI. However, upon testing this, the servers became unreachable/the servers cannot reach the network.
We've tried whitelisting the mac where it has been blocked by DAI.
On my take, since the server(s) are connected from a hub and hub is connected to switch -- should we enable trusted DAI that switchport instead?
Based from the Meraki Documentation, only the network devices should be trusted DAI. Should we trusted DAI all the switchports with connected servers and cameras(security devices) as well?
I know the question sounds easy but I do hope you all are able to answer them. Thank you.
Question Regarding Meraki DAI Dynamic ARP Inspection (DAI) DHCP snooping and Dynamic ARP Inspection
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://documentation.meraki.com/MS/Other_Topics/Dynamic_ARP_Inspection#Configuring_DAI
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is recommended to configure only ports facing end-hosts as untrusted (Trusted: disabled). Ports connecting network devices such as switches should be configured as trusted to avoid connectivity issues.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @alemabrahao thank you for answering this.
However, we've enable trusted DAI on ports connecting from switch to uplink, switch to MXFW, switch to MR Access Points.
And these servers cannot connect to the network. We've even whitelisted the mac address (based from the block events) however these servers can be pinged via switch but for some reason, they cannot be pinged from the MX firewall. When we've tried checking the server / server storages, they are unable to connect to the network as well.
We've rolled back the change and disabled DAI and they worked again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From what I read in your comment I have to assume the implementation is still buggy and needs some troubleshooting from Meraki.
This is the same issue I had when I tried it on my home connection. It worked for a while and suddenly it didn't take even on ports that were trusted.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've had mixed results with that feature at home alas. I'm running a Cisco EWC with C9120AX AP's on a Meraki MS210-24P and once on a night suddenly the switches started blocking all packets coming from the whitelisted MAC addresses of the AP's causing my EWC deployment to fail. So I had to disable the feature again. I have yet to do another run at this soon.
Normally you have two ways to allow non-DHCP clients.
You can put the port on trusted or add a static entry for a specific MAC address.
Especially ports containing Access Points are important to check because if you have SSID's that don't enforce DHCP and you actually need static IP clients you will need to or add them all to your allowlist or whitelisting those ports but then you can't enforce DAI on wireless clients.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for pointing out some DHCP-specifics here, GIdenJoe.
NoviceInMeraki and GIdenJoe, I would recommend opening up a ticket with our Support team if you feel that you are seeing unexpected behavior with regards to the Dynamic ARP Inspection feature/functionality.
You can view the options for contacting our Support team at the following Meraki resource:
https://documentation.meraki.com/General_Administration/Support/Contacting_Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's on my TODO list 😉
It would be very handy however if the DHCP binding table and DAI binding to port mapping would be something you could query from the switch (perhaps via a REST API call?) Because that won't be an easy thing to troubleshoot without that ability.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi GIdenJoe,
This could potentially be an interesting feature request. If you haven't done so already, you can go ahead and submit this by using the "Give your feedback" button located in the bottom-right-hand corner of any Meraki Dashboard portal page. These requests go directly to our product and development teams for consideration.
That being said, a Network Support Engineer should be able to access additional logging that would help in the troubleshooting process.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have also disabled DAI across my thirty sites with MS-225's and MS-210's. I don't know if it's my DHCP servers or my clients or the switches, but machines that are on untrusted ports that have obtained their IP address via DHCP and are working will just suddenly stop working and show in the logs as being blocked. Of course when they're scattered across the country and it's happening at random times to random individuals... it's hard to troubleshoot. I was forced to simply disable the feature on all of my switches.
